avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter

The max depth is 16bps, the max allowed coefficient depth is depth+6 Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int' Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-23 00:24:01 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-11-29 16:10:56 +0100
commit: 7cf852b03c3ae6b61f89614371d2cb308d0b7f86 (patch)
tree: fe7ba0cc0a8beae5d1f32646cd6bbdf6ab7cc8f8 /libavcodec/hevc_cabac.c
parent: 9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 3dc0987dad..3635b16ca9 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int
     } else {
         int prefix_minus3 = prefix - 3;
 
-        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
+        if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) {
             av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
             return 0;
         }
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-23 00:24:01 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-11-29 16:10:56 +0100
commit	7cf852b03c3ae6b61f89614371d2cb308d0b7f86 (patch)
tree	fe7ba0cc0a8beae5d1f32646cd6bbdf6ab7cc8f8 /libavcodec/hevc_cabac.c
parent	9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1 (diff)