avcodec/alsdec: Check k from being outside what our implementation can handle
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 25 Aug 2019 16:22:50 +0000 (18:22 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 11 Sep 2019 20:43:14 +0000 (22:43 +0200)
The specification does not seem to list what the maximum valid
value is

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 16268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5638164544225280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/alsdec.c

index f8d10df8c6c06103e3ee05d038f44998d4b2ffa7..a53c170d187b2c51ded9526146bdc841d5d89e71 100644 (file)
@@ -833,6 +833,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             k    [sb] = s[sb] > b ? s[sb] - b : 0;
             delta[sb] = 5 - s[sb] + k[sb];
 
+            if (k[sb] >= 32)
+                return AVERROR_INVALIDDATA;
+
             ff_bgmc_decode(gb, sb_len, current_res,
                         delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status);