ref: 9cfcac1cb3b2e765c24706a9e966859d588bc4ef
parent: c713f846168f4d6fd6a5e2150a115eaa661e5c77
author: James Zern <jzern@google.com>
date: Fri Feb 14 12:36:47 EST 2020
vp8,GetSigned: silence unsigned int overflow warning in non-conformant fuzzed bitstreams the calculation of br->value may overflow. this is defined behavior and harmless in that the stream is already corrupt. BUG=b/148271109 Change-Id: I3668ada57e0bd68cea86b82917fb03c19ac1283d
--- a/vp8/decoder/detokenize.c
+++ b/vp8/decoder/detokenize.c
@@ -11,6 +11,7 @@
#include "vp8/common/blockd.h"
#include "onyxd_int.h"
#include "vpx_mem/vpx_mem.h"
+#include "vpx_ports/compiler_attributes.h"
#include "vpx_ports/mem.h"
#include "detokenize.h"
@@ -52,7 +53,10 @@
/* for const-casting */
typedef const uint8_t (*ProbaArray)[NUM_CTX][NUM_PROBAS];
-static int GetSigned(BOOL_DECODER *br, int value_to_sign) {+// With corrupt / fuzzed streams the calculation of br->value may overflow. See
+// b/148271109.
+static VPX_NO_UNSIGNED_OVERFLOW_CHECK int GetSigned(BOOL_DECODER *br,
+ int value_to_sign) {int split = (br->range + 1) >> 1;
VP8_BD_VALUE bigsplit = (VP8_BD_VALUE)split << (VP8_BD_VALUE_SIZE - 8);
int v;