| Message ID | 20201107231710.24816-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | b0f8586ca9853ab3d324ccd3c42bad4375000b0a |
| Headers | show |
| Series | [FFmpeg-devel,1/5] avformat/tedcaptionsdec: Check for overflow in parse_int() | expand |
| Context | Check | Description |
|---|---|---|
| andriy/x86_make | success | Make finished |
| andriy/x86_make_fate | success | Make fate finished |
On Sun, Nov 08, 2020 at 12:17:06AM +0100, Michael Niedermayer wrote: > Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' > Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/tedcaptionsdec.c | 2 ++ > 1 file changed, 2 insertions(+) will apply [...]
diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 6c25d602d6..c15aeea06c 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -172,6 +172,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); }
Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/tedcaptionsdec.c | 2 ++ 1 file changed, 2 insertions(+)