avcodec/wavpack: Check bitrate_acc for overflow

Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/wavpack: Check bitrate_acc for overflow
Fixes: undefined behavior in 717/clusterfuzz-testcase-5434924129583104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
d03d3861 · Michael Niedermayer · fab13bbb · d03d3861
Commit d03d3861 authored Mar 03, 2017 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

wavpack.c libavcodec/wavpack.c +9 -3

No files found.
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -99,11 +99,13 @@ static av_always_inline int get_tail(GetBitContext *gb, int k)
    return res;
 }
-static void update_error_limit(WavpackFrameContext *ctx)
+static int update_error_limit(WavpackFrameContext *ctx)
 {
    int i, br[2], sl[2];
    for (i = 0; i <= ctx->stereo_in; i++) {
+        if (ctx->ch[i].bitrate_acc > UINT_MAX - ctx->ch[i].bitrate_delta)
+            return AVERROR_INVALIDDATA;
        ctx->ch[i].bitrate_acc += ctx->ch[i].bitrate_delta;
        br[i]                   = ctx->ch[i].bitrate_acc >> 16;
        sl[i]                   = LEVEL_DECAY(ctx->ch[i].slow_level);
@@ -131,6 +133,8 @@ static void update_error_limit(WavpackFrameContext *ctx)
            ctx->ch[i].error_limit = wp_exp2(br[i]);
        }
    }
+    return 0;
 }
 static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
@@ -200,8 +204,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
        ctx->zero = !ctx->one;
    }
-    if (ctx->hybrid && !channel)
+    if (ctx->hybrid && !channel) {
-        update_error_limit(ctx);
+        if (update_error_limit(ctx) < 0)
+            goto error;
+    }
    if (!t) {
        base = 0;