[FFmpeg-devel,2/3] avformat/cdxl: Fix integer overflow in intermediate

Submitted by Michael Niedermayer on Aug. 30, 2019, 11:25 p.m.

Details

Message ID 20190830232503.17889-2-michael@niedermayer.cc
State Accepted
Commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac
Headers show

Commit Message

Michael Niedermayer Aug. 30, 2019, 11:25 p.m.
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cdxl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer Sept. 15, 2019, 10:25 p.m.
On Sat, Aug 31, 2019 at 01:25:02AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
> Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/cdxl.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

will apply

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c
index 9aacaddb40..e675b2c8f1 100644
--- a/libavformat/cdxl.c
+++ b/libavformat/cdxl.c
@@ -131,7 +131,8 @@  static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
-    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+    if (cdxl->header[19] == 0 ||
+        FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
         return AVERROR_INVALIDDATA;
     if (format == 0x20)
         image_size = width * height * cdxl->header[19] / 8;