| Message ID | 20220918171410.31835-13-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,01/13] avformat/flvdec: Use 64bit for sum_flv_tag_size | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
Quoting Michael Niedermayer (2022-09-18 19:14:10) > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/westwood_vqa.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c > index e3d2e2668c4..bd8df5e0b34 100644 > --- a/libavformat/westwood_vqa.c > +++ b/libavformat/westwood_vqa.c > @@ -274,6 +274,8 @@ static int wsvqa_read_packet(AVFormatContext *s, > return AVERROR(EIO); > > /* the decoder expects chunks to be 16-bit aligned */ > + if (wsvqa->vqfl_chunk_size == INT_MAX) > + return AVERROR_INVALIDDATA; IIUC this can only happen after the wsvqa->vqfl_chunk_size > 3 * (1 << 20) check above was triggered. Then it makes more sense to change that code to check chunk_size before setting wsvqa->vqfl_chunk_size.
On Thu, Sep 22, 2022 at 03:01:05PM +0200, Anton Khirnov wrote: > Quoting Michael Niedermayer (2022-09-18 19:14:10) > > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/westwood_vqa.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c > > index e3d2e2668c4..bd8df5e0b34 100644 > > --- a/libavformat/westwood_vqa.c > > +++ b/libavformat/westwood_vqa.c > > @@ -274,6 +274,8 @@ static int wsvqa_read_packet(AVFormatContext *s, > > return AVERROR(EIO); > > > > /* the decoder expects chunks to be 16-bit aligned */ > > + if (wsvqa->vqfl_chunk_size == INT_MAX) > > + return AVERROR_INVALIDDATA; > > IIUC this can only happen after the > wsvqa->vqfl_chunk_size > 3 * (1 << 20) > check above was triggered. Then it makes more sense to change that code > to check chunk_size before setting wsvqa->vqfl_chunk_size. i will post a new patch thx [...]
diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index e3d2e2668c4..bd8df5e0b34 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -274,6 +274,8 @@ static int wsvqa_read_packet(AVFormatContext *s, return AVERROR(EIO); /* the decoder expects chunks to be 16-bit aligned */ + if (wsvqa->vqfl_chunk_size == INT_MAX) + return AVERROR_INVALIDDATA; if (wsvqa->vqfl_chunk_size % 2 == 1) wsvqa->vqfl_chunk_size++;
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/westwood_vqa.c | 2 ++ 1 file changed, 2 insertions(+)