subject:"\[FFmpeg\-cvslog\] avcodec\/h264_slice\: Fix overflow in slice offset"

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-10-26 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [b59d6183c4ffc33ae920220eb8ef75821ca425e3] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b59d6183c4ffc33ae920220eb8ef75821ca425e3
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 0b3e0406f2..c0b3b67e49 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1822,17 +1822,19 @@ int ff_h264_decode_slice_header(H264Context *h, 
H264SliceContext *sl)
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-09-17 Thread Michael Niedermayer

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [74e9dbf0dfb009ced1dcba341b25bc37357b7b7a] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74e9dbf0dfb009ced1dcba341b25bc37357b7b7a
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index d3f1360359..cdd56af1f7 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1697,17 +1697,19 @@ int ff_h264_decode_slice_header(H264Context *h, 
H264SliceContext *sl)
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-09-17 Thread Michael Niedermayer

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [b66aa37834c2913be41a8404662c403c1c68b683] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b66aa37834c2913be41a8404662c403c1c68b683
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 68b73da418..ce1fc18219 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1739,17 +1739,19 @@ static int h264_slice_header_parse(const H264Context 
*h, H264SliceContext *sl,
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-09-09 Thread Michael Niedermayer

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [1dbfcd65b26d93d4beaca0c0fc60c31092e555bc] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1dbfcd65b26d93d4beaca0c0fc60c31092e555bc
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 86b72dff7f..3f3a3e4067 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1835,17 +1835,19 @@ static int h264_slice_header_parse(const H264Context 
*h, H264SliceContext *sl,
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-08-24 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [f236601e29b986a547d68aa3248e06ffbeee1e39] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f236601e29b986a547d68aa3248e06ffbeee1e39
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index ab9f171921..033dd2ab85 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1835,17 +1835,19 @@ int ff_h264_decode_slice_header(H264Context *h, 
H264SliceContext *sl)
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

2017-08-05 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Fri 
Aug  4 02:41:05 2017 +0200| [1f53bde6d817ae13a47748f321adbdfa79e15982] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f53bde6d817ae13a47748f321adbdfa79e15982
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 2fb89b189d..4e7eba4adb 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1854,17 +1854,19 @@ static int h264_slice_header_parse(const H264Context 
*h, H264SliceContext *sl,
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

6 matches

Site Navigation

Mail list logo

Footer information