[FFmpeg-devel,1/2] avformat/avidec: Fix io_fsize overflow

Message ID	20200621223619.1797-1-michael@niedermayer.cc
State	Accepted
Commit	cf0c700b0c25f5d9fe50dd27086a06812822f11a
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Mon, 22 Jun 2020 00:36:18 +0200 Message-Id: <20200621223619.1797-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 1/2] avformat/avidec: Fix io_fsize overflow Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/2] avformat/avidec: Fix io_fsize overflow \| expand [FFmpeg-devel,1/2] avformat/avidec: Fix io_fsize overflow [FFmpeg-devel,2/2] avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()

Message ID

20200621223619.1797-1-michael@niedermayer.cc

State

Accepted

Commit

cf0c700b0c25f5d9fe50dd27086a06812822f11a

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 22 Jun 2020 00:36:18 +0200
Message-Id: <20200621223619.1797-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 1/2] avformat/avidec: Fix io_fsize overflow
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/2] avformat/avidec: Fix io_fsize overflow | expand

Context	Check	Description
andriy/default	pending
andriy/make	success	Make finished
andriy/make_fate	success	Make fate finished

Context

Check

Description

andriy/default

pending

andriy/make

success

Make finished

andriy/make_fate

success

Make fate finished

Commit Message

Michael Niedermayer June 21, 2020, 10:36 p.m. UTC

Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long'
Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/avidec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Sept. 5, 2020, 3:47 p.m. UTC | #1

On Mon, Jun 22, 2020 at 12:36:18AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long'
> Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/avidec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply patchset

[...]

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 5fc3e01aa9..df677a1618 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -439,7 +439,7 @@  static int calculate_bitrate(AVFormatContext *s)
         maxpos = FFMAX(maxpos, st->index_entries[j-1].pos);
         lensum += len;
     }
-    if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file
+    if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file
         return 0;
     if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch
         return 0;

[FFmpeg-devel,1/2] avformat/avidec: Fix io_fsize overflow

Checks

Commit Message

Comments

Patch