avcodec/shorten: Check k in get_uint()
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 6 May 2017 16:28:09 +0000 (18:28 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 20 May 2017 01:41:33 +0000 (03:41 +0200)
Fixes: undefined shift
Fixes: 1371/clusterfuzz-testcase-minimized-5770822591447040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b6a51f59c467ab9f4b73122dc269206fb517425)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/shorten.c

index 0f5be96..32f808b 100644 (file)
@@ -156,8 +156,11 @@ static int allocate_buffers(ShortenContext *s)
 
 static inline unsigned int get_uint(ShortenContext *s, int k)
 {
-    if (s->version != 0)
+    if (s->version != 0) {
         k = get_ur_golomb_shorten(&s->gb, ULONGSIZE);
+        if (k > 31U)
+            return AVERROR_INVALIDDATA;
+    }
     return get_ur_golomb_shorten(&s->gb, k);
 }