@@ -1040,6 +1040,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize);
td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize);
+ if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+ return AVERROR_INVALIDDATA;
+
td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
} else {
@@ -1059,6 +1062,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
td->xsize = s->xdelta;
+ if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+ return AVERROR_INVALIDDATA;
+
td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */
Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 6 ++++++ 1 file changed, 6 insertions(+)