diff mbox series

[FFmpeg-devel,5/5] avcodec/exr: Avoid signed overflow in displayWindow

Message ID 20220321201946.16919-5-michael@niedermayer.cc
State Accepted
Commit 1291568c9834c02413ab5d87762308f15b4ae9c6
Headers show
Series [FFmpeg-devel,1/5] avcodec/vp9_superframe_bsf: Check in size | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_aarch64_jetson success Make finished
andriy/make_fate_aarch64_jetson success Make fate finished
andriy/make_armv7_RPi4 success Make finished
andriy/make_fate_armv7_RPi4 success Make fate finished

Commit Message

Michael Niedermayer March 21, 2022, 8:19 p.m. UTC 
The inputs are unused except for this computation so wraparound
does not give an attacker any extra values as they are already fully
controlled

Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
Fixes: 45820/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5766159019933696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Paul B Mahol March 22, 2022, 10:42 a.m. UTC | #1 
probably ok
Michael Niedermayer April 3, 2022, 9:23 p.m. UTC | #2 
On Tue, Mar 22, 2022 at 11:42:52AM +0100, Paul B Mahol wrote:
> probably ok

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index dd5924245f..f338ff0085 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1833,8 +1833,8 @@  static int decode_header(EXRContext *s, AVFrame *frame)
             dx = bytestream2_get_le32(gb);
             dy = bytestream2_get_le32(gb);
 
-            s->w = dx - sx + 1;
-            s->h = dy - sy + 1;
+            s->w = (unsigned)dx - sx + 1;
+            s->h = (unsigned)dy - sy + 1;
 
             continue;
         } else if ((var_size = check_header_variable(s, "lineOrder",