diff mbox series

[FFmpeg-devel,2/7] avcodec/nuv: widen buf_size type

Message ID 20200510192019.14218-2-michael@niedermayer.cc
State Accepted
Commit 1ac106bf5625de6aec31a34319298032e988f349
Headers show
Series [FFmpeg-devel,1/7] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth() | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate fail Make fate failed

Commit Message

Michael Niedermayer May 10, 2020, 7:20 p.m. UTC
Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int'
Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5740176118906880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/nuv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer May 11, 2020, 10:58 p.m. UTC | #1
On Sun, May 10, 2020 at 09:20:14PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int'
> Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5740176118906880
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/nuv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index 7958000ae8..3ceaaac4e9 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -126,7 +126,7 @@  static int codec_reinit(AVCodecContext *avctx, int width, int height,
         get_quant_quality(c, quality);
     if (width != c->width || height != c->height) {
         // also reserve space for a possible additional header
-        int buf_size = height * width * 3 / 2
+        int64_t buf_size = height * (int64_t)width * 3 / 2
                      + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE)
                      + RTJPEG_HEADER_SIZE;
         if (buf_size > INT_MAX/8)