diff mbox series

[FFmpeg-devel,3/7] avformat/mvi: Use 64bit for testing dimensions

Message ID 20210116230729.30613-3-michael@niedermayer.cc
State Accepted
Commit 48fb752767086a48e599f9e86d87096f66cc7590
Headers show
Series [FFmpeg-devel,1/7] avformat/mpsubdec: Use av_sat_add/sub64() in fracval handling | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Jan. 16, 2021, 11:07 p.m. UTC 
Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mvi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Jan. 26, 2021, 4:46 p.m. UTC | #1 
On Sun, Jan 17, 2021 at 12:07:25AM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
> Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mvi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 06c9cfe3f0..2d4b11aa32 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -94,7 +94,7 @@  static int read_header(AVFormatContext *s)
     vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
     vst->codecpar->codec_id   = AV_CODEC_ID_MOTIONPIXELS;
 
-    mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24;
+    mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24;
 
     mvi->audio_frame_size   = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
     if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {