Browse code
oggparsedaala: reject too large gpshift
Also use a unsigned constant for the shift calculation, as 1 << 31 is
undefined for int32_t. This is also fixed oggparsetheora.
This fixes ubsan runtime error: shift exponent is too large for
32-bit type 'int'
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Andreas Cadhalpun authored on 2015/12/30 02:32:01Showing 2 changed files
| ... | ... |
@@ -123,7 +123,12 @@ static int daala_header(AVFormatContext *s, int idx) |
| 123 | 123 |
|
| 124 | 124 |
hdr->frame_duration = bytestream2_get_ne32(&gb); |
| 125 | 125 |
hdr->gpshift = bytestream2_get_byte(&gb); |
| 126 |
- hdr->gpmask = (1 << hdr->gpshift) - 1; |
|
| 126 |
+ if (hdr->gpshift >= 32) {
|
|
| 127 |
+ av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n", |
|
| 128 |
+ hdr->gpshift); |
|
| 129 |
+ return AVERROR_INVALIDDATA; |
|
| 130 |
+ } |
|
| 131 |
+ hdr->gpmask = (1U << hdr->gpshift) - 1; |
|
| 127 | 132 |
|
| 128 | 133 |
hdr->format.depth = 8 + 2*(bytestream2_get_byte(&gb)-1); |
| 129 | 134 |
|
| ... | ... |
@@ -108,7 +108,7 @@ static int theora_header(AVFormatContext *s, int idx) |
| 108 | 108 |
skip_bits(&gb, 2); |
| 109 | 109 |
|
| 110 | 110 |
thp->gpshift = get_bits(&gb, 5); |
| 111 |
- thp->gpmask = (1 << thp->gpshift) - 1; |
|
| 111 |
+ thp->gpmask = (1U << thp->gpshift) - 1; |
|
| 112 | 112 |
|
| 113 | 113 |
st->codec->codec_type = AVMEDIA_TYPE_VIDEO; |
| 114 | 114 |
st->codec->codec_id = AV_CODEC_ID_THEORA; |