[FFmpeg-devel,4/4] avcodec/twinvq: Check block_align

Submitted by Michael Niedermayer on Oct. 22, 2019, 2:27 p.m.

Details

Message ID 20191022142704.8818-4-michael@niedermayer.cc
State Accepted
Commit 97f778e9c55328e8b48f4b8b4171245e5f2232f6
Headers show

Commit Message

Michael Niedermayer Oct. 22, 2019, 2:27 p.m.
Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int'
Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/twinvq.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

Comments

Michael Niedermayer Nov. 9, 2019, 5 p.m.
On Tue, Oct 22, 2019 at 04:27:04PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int'
> Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/twinvq.c | 17 ++++++++++-------
>  1 file changed, 10 insertions(+), 7 deletions(-)

will apply

[...]

Patch hide | download patch | download mbox

diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 7b2e19e536..34ca1846b9 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -771,23 +771,26 @@  av_cold int ff_twinvq_decode_init(AVCodecContext *avctx)
 {
     int ret;
     TwinVQContext *tctx = avctx->priv_data;
+    int64_t frames_per_packet;
 
     tctx->avctx       = avctx;
     avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
 
     if (!avctx->block_align) {
         avctx->block_align = tctx->frame_size + 7 >> 3;
-    } else if (avctx->block_align * 8 < tctx->frame_size) {
-        av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n",
-               avctx->block_align * 8, tctx->frame_size);
+    }
+    frames_per_packet = avctx->block_align * 8LL / tctx->frame_size;
+    if (frames_per_packet <= 0) {
+        av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n",
+               avctx->block_align * (int64_t)8, tctx->frame_size);
         return AVERROR_INVALIDDATA;
     }
-    tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size;
-    if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
-        av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n",
-               tctx->frames_per_packet);
+    if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
+        av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n",
+               frames_per_packet);
         return AVERROR_INVALIDDATA;
     }
+    tctx->frames_per_packet = frames_per_packet;
 
     tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT);
     if (!tctx->fdsp) {