Fix the runtime error: shift exponent -1 is negative in huffdec.c #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When calling the function th_decode_ceaderin through constructed data, it will cause the len value in the oc_fuff_tree_unpack function to be -1 when subsequent functions run, resulting in the problem of negative displacement. This modification is to avoid len being negative
huffdec.c:228:27: runtime error: shift exponent -1 is negative
#0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
xiph#1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
xiph#2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
xiph#3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
xiph#4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
xiph#5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
xiph#6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
xiph#7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
xiph#8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
xiph#9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
xiph#10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When calling the function th_decode_ceaderin through constructed data, it will cause the len value in the oc_fuff_tree_unpack function to be 0 when subsequent functions run, resulting in the problem of negative displacement. This modification is to avoid len being negative
huffdec.c:228:27: runtime error: shift exponent -1 is negative
#0 0x5d471012bfd0 in oc_huff_tree_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:228
#1 0x5d471012c134 in oc_huff_trees_unpack /home/uos/libtheora-18570/theora/lib/huffdec.c:392
#2 0x5d471010a98c in oc_setup_unpack /home/uos/libtheora-18570/theora/lib/decinfo.c:169
#3 0x5d471010a98c in oc_dec_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:238
#4 0x5d471010a98c in th_decode_headerin /home/uos/libtheora-18570/theora/lib/decinfo.c:266
#5 0x5d47100fd638 in TheoraDecoder::initialize() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:66
#6 0x5d47100ffa76 in TheoraDecoder::Run() /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:180
#7 0x5d47100ffe48 in main /home/uos/libtheora-18570/libtheora-18570/fuzzer.cpp:240
#8 0x7cc9a5e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7cc9a5e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x5d47100f9964 in _start (/home/uos/libtheora-18570/libtheora-18570/poc1+0x83964)