Commit 6d96bae9 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/adpcm: XA: Check shift similar to filter

Fixes: negative shift
Fixes: 22499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5765452130418688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent bd6336b9
...@@ -559,6 +559,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, ...@@ -559,6 +559,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
filter=0; filter=0;
} }
if (shift < 0) {
avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
shift = 0;
}
f0 = xa_adpcm_table[filter][0]; f0 = xa_adpcm_table[filter][0];
f1 = xa_adpcm_table[filter][1]; f1 = xa_adpcm_table[filter][1];
...@@ -584,10 +588,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, ...@@ -584,10 +588,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1,
shift = 12 - (in[5+i*2] & 15); shift = 12 - (in[5+i*2] & 15);
filter = in[5+i*2] >> 4; filter = in[5+i*2] >> 4;
if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) { if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) {
avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter);
filter=0; filter=0;
} }
if (shift < 0) {
avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift);
shift = 0;
}
f0 = xa_adpcm_table[filter][0]; f0 = xa_adpcm_table[filter][0];
f1 = xa_adpcm_table[filter][1]; f1 = xa_adpcm_table[filter][1];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment