| Message ID | 20220918171410.31835-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 7124f10c1d521096042ba3c9c519828147f78c46 |
| Headers | show |
| Series | [FFmpeg-devel,01/13] avformat/flvdec: Use 64bit for sum_flv_tag_size | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
On Sun, Sep 18, 2022 at 07:13:58PM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: 2138820085 + 16130322 cannot be represented in type 'int' > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6704728165187584 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/flvdec.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) i intend to apply this patchset (minus anything with objections) soon [...]
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7f9d7950448..d83edff727c 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -66,7 +66,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -1032,7 +1032,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1332,7 +1332,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt);
Fixes: signed integer overflow: 2138820085 + 16130322 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6704728165187584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)