Message ID | 20210913224848.15336-2-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/3] avcodec/jpeg2000_parser: Check state!=0 | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On 9/13/2021 7:48 PM, Michael Niedermayer wrote: > Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long' > Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/exr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/exr.c b/libavcodec/exr.c > index 67340c892da..c395b6098df 100644 > --- a/libavcodec/exr.c > +++ b/libavcodec/exr.c > @@ -1062,7 +1062,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size > } > > { > - unsigned long dest_len = dc_count * 2LL; > + unsigned long dest_len = dc_count * 2ULL; You could instead move this multiplication after the check below. If dc_count is equal to dc_w * dc_h * 3, multiplying it by 2 will never overflow an int64_t. Also, you may want to do the same for ac_count earlier in this function. It's also an int64_t set with AV_RL64() and the multiplied by 2LL. > GetByteContext agb = gb; > > if (dc_count != dc_w * dc_h * 3)
On Mon, Sep 13, 2021 at 11:30:31PM -0300, James Almer wrote: > On 9/13/2021 7:48 PM, Michael Niedermayer wrote: > > Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long' > > Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/exr.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/exr.c b/libavcodec/exr.c > > index 67340c892da..c395b6098df 100644 > > --- a/libavcodec/exr.c > > +++ b/libavcodec/exr.c > > @@ -1062,7 +1062,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size > > } > > { > > - unsigned long dest_len = dc_count * 2LL; > > + unsigned long dest_len = dc_count * 2ULL; > > You could instead move this multiplication after the check below. If > dc_count is equal to dc_w * dc_h * 3, multiplying it by 2 will never > overflow an int64_t. > > Also, you may want to do the same for ac_count earlier in this function. > It's also an int64_t set with AV_RL64() and the multiplied by 2LL. will apply with these changes thx [...]
diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 67340c892da..c395b6098df 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1062,7 +1062,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size } { - unsigned long dest_len = dc_count * 2LL; + unsigned long dest_len = dc_count * 2ULL; GetByteContext agb = gb; if (dc_count != dc_w * dc_h * 3)
Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long' Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)