Message ID | 20201025230059.16740-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 8aadae670f28b88e94770262cd1136562bdb2f45 |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/av1dec: Check for unset obu instead of crashing | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
On Mon, Oct 26, 2020 at 12:00:58AM +0100, Michael Niedermayer wrote: > Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' > Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/utils.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) will apply [...]
diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 93ac1cd9f0..e8451a7cf8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -513,7 +513,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0;
Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)