| Message ID | 20210915200048.6691-3-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 737e6bf2162b89d396f4d477bfe8c99f1dd885de |
| Headers | show |
| Series | [FFmpeg-devel,1/5] avformat/sbgdec: Check for t0 overflow in expand_tseq() | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
| andriy/make_ppc | success | Make finished |
| andriy/make_fate_ppc | success | Make fate finished |
On Wed, Sep 15, 2021 at 10:00:46PM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' > Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mvdec.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c > index b1450e08da9..7573087c7cc 100644 > --- a/libavformat/mvdec.c > +++ b/libavformat/mvdec.c > @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, > } else if (!strcmp(name, "NUM_CHANNELS")) { > return set_channels(avctx, st, var_read_int(pb, size)); > } else if (!strcmp(name, "SAMPLE_RATE")) { > - st->codecpar->sample_rate = var_read_int(pb, size); > - if (st->codecpar->sample_rate <= 0) > + int sample_rate = var_read_int(pb, size); > + if (sample_rate <= 0) > return AVERROR_INVALIDDATA; > + st->codecpar->sample_rate = sample_rate; > avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); > } else if (!strcmp(name, "SAMPLE_WIDTH")) { > uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; please apply -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
On Thu, Sep 16, 2021 at 05:02:53PM +1000, Peter Ross wrote: > On Wed, Sep 15, 2021 at 10:00:46PM +0200, Michael Niedermayer wrote: > > Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' > > Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mvdec.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c > > index b1450e08da9..7573087c7cc 100644 > > --- a/libavformat/mvdec.c > > +++ b/libavformat/mvdec.c > > @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, > > } else if (!strcmp(name, "NUM_CHANNELS")) { > > return set_channels(avctx, st, var_read_int(pb, size)); > > } else if (!strcmp(name, "SAMPLE_RATE")) { > > - st->codecpar->sample_rate = var_read_int(pb, size); > > - if (st->codecpar->sample_rate <= 0) > > + int sample_rate = var_read_int(pb, size); > > + if (sample_rate <= 0) > > return AVERROR_INVALIDDATA; > > + st->codecpar->sample_rate = sample_rate; > > avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); > > } else if (!strcmp(name, "SAMPLE_WIDTH")) { > > uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; > > please apply will do thx [...]
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index b1450e08da9..7573087c7cc 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); - if (st->codecpar->sample_rate <= 0) + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8;
Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)