diff mbox series

[FFmpeg-devel,2/5] avformat/smacker: Check for too small pts_inc

Message ID 20210117225311.17297-2-michael@niedermayer.cc
State Accepted
Commit f54aab94a363489edcda492637d6e7409cc5446b
Headers show
Series [FFmpeg-devel,1/5] avformat/sccdec: Use larger intermediate for ts/next_ts computation
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Jan. 17, 2021, 10:53 p.m. UTC
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-6705429132476416

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/smacker.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 9966a67055..61209e7038 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -105,8 +105,8 @@  static int smacker_read_header(AVFormatContext *s)
     height = avio_rl32(pb);
     smk->frames = avio_rl32(pb);
     pts_inc = avio_rl32(pb);
-    if (pts_inc > INT_MAX / 100) {
-        av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", pts_inc);
+    if (pts_inc > INT_MAX / 100 || pts_inc == INT_MIN) {
+        av_log(s, AV_LOG_ERROR, "pts_inc %d is invalid\n", pts_inc);
         return AVERROR_INVALIDDATA;
     }