Message ID | 20201019155955.27725-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 715ff75e5dbbbefff7337351db596a9b7a5d4379 |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/genh: Check block_align | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
On Mon, Oct 19, 2020 at 05:59:54PM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' > Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/jacosubdec.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) will apply [...]
diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 3414eb3938..e70ceeaafd 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -136,6 +136,7 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP @@ -145,13 +146,16 @@ static int get_shift(int timeres, const char *buf) a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s)
Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/jacosubdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)