avcodec/h264_ps: Check delta scale for validity

Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int' Fixes: 634/clusterfuzz-testcase-5285420445204480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-02-21 03:51:17 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-02-21 15:31:06 +0100
commit: cbd622be997e8307a409efc3b4bbe8765147def2 (patch)
tree: b2c1f51a44cc7f26674627e13c99a3b68f5470d1
parent: 28dc6e729137ba7927f46ba15c337417b8708fe8 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 270d06b52a..8090178395 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -257,8 +257,14 @@ static void decode_scaling_list(GetBitContext *gb, uint8_t *factors, int size,
         memcpy(factors, fallback_list, size * sizeof(uint8_t));
     else
         for (i = 0; i < size; i++) {
-            if (next)
-                next = (last + get_se_golomb(gb)) & 0xff;
+            if (next) {
+                int v = get_se_golomb(gb);
+                if (v < -128 || v > 127) {
+                    av_log(NULL, AV_LOG_ERROR, "delta scale %d is invalid\n", v);
+                    v = -last;
+                }
+                next = (last + v) & 0xff;
+            }
             if (!i && !next) { /* matrix not written, we use the preset one */
                 memcpy(factors, jvt_list, size * sizeof(uint8_t));
                 break;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-02-21 03:51:17 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-02-21 15:31:06 +0100
commit	cbd622be997e8307a409efc3b4bbe8765147def2 (patch)
tree	b2c1f51a44cc7f26674627e13c99a3b68f5470d1
parent	28dc6e729137ba7927f46ba15c337417b8708fe8 (diff)