| commit | 5314b13a8d5126b31b01ed8afe408f26da139994 | [log] [tgz] |
|---|---|---|
| author | Danil Chapovalov <danilchap@webrtc.org> | Tue Nov 26 09:13:07 2019 |
| committer | Commit Bot <commit-bot@chromium.org> | Thu Nov 28 11:27:33 2019 |
| tree | 0144385e1cf7be4f5bca7d58c1a5cd967dcc6e6e | |
| parent | bfcb6c3f13f776c72db2f405d823e1e582695543 [diff] |
Fix undefined-shift in RtpDepacketizerAv1::AssembleFrame Bug: chromium:1028348 Change-Id: I824e84138acbf4e73fc21ee8248e29e5cc7a0ba0 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/160643 Reviewed-by: Sam Zackrisson <saza@webrtc.org> Commit-Queue: Danil Chapovalov <danilchap@webrtc.org> Cr-Commit-Position: refs/heads/master@{#29945}
diff --git a/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc b/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc index 45122da..52c62f8 100644 --- a/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc +++ b/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc
@@ -311,7 +311,8 @@ return false; } leb128_byte = *it; - obu_size_bytes |= (leb128_byte & 0x7F) << (size_of_obu_size_bytes * 7); + obu_size_bytes |= uint64_t{leb128_byte & 0x7Fu} + << (size_of_obu_size_bytes * 7); ++size_of_obu_size_bytes; ++it; } while ((leb128_byte & 0x80) != 0);
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn index 7acbf02..7e81d56 100644 --- a/test/fuzzers/BUILD.gn +++ b/test/fuzzers/BUILD.gn
@@ -550,6 +550,7 @@ sources = [ "rtp_depacketizer_av1_assemble_frame_fuzzer.cc", ] + seed_corpus = "corpora/rtp-depacketizer-av1-assemble-frame-corpus" deps = [ ":fuzz_data_helper", "../../api:array_view",
diff --git a/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0 b/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0 new file mode 100644 index 0000000..540a770 --- /dev/null +++ b/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0