Message ID | 20210211223927.10122-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | b5d8fe1c874947ca67ee8117b18f8052f0e590fc |
Headers | show |
Series | [FFmpeg-devel,1/3] avformat/electronicarts: Clear partial_packet on error | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Thu, Feb 11, 2021 at 11:39:27PM +0100, Michael Niedermayer wrote: > Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' > Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/flvdec.c | 2 ++ > 1 file changed, 2 insertions(+) will apply [...]
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 30d1fcf4b7..138a96ec61 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -871,6 +871,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) {
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+)