Message ID | 20220910223046.5135-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | ac26712e35f5ebc726d1be14bb4a420949e66604 |
Headers | show |
Series | [FFmpeg-devel,1/5] avcodec/apedec: Fix integer overflow in filter_3800() | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Sun, Sep 11, 2022 at 12:30:44AM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: 17121181824 * 538976288 cannot be represented in type 'long long' > Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5915330316206080 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/exr.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) will apply [...]
diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 235f6fa6cdd..c924406f131 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1942,9 +1942,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - int64_t psize = 4LL * pw * ph; + uint64_t psize = pw * ph; + if (psize > INT64_MAX / 4) + return AVERROR_INVALIDDATA; + psize *= 4; - if (psize >= bytestream2_get_bytes_left(gb)) + if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; bytestream2_skip(gb, psize);
Fixes: signed integer overflow: 17121181824 * 538976288 cannot be represented in type 'long long' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5915330316206080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)