| Message ID | 20230930223046.22896-6-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | b3c973acbecb879d4949fecdadd2fdfc08dea42b |
| Headers | show |
| Series | [FFmpeg-devel,01/15] avformat/concatdec: Check in/outpoint for overflow | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 3ef6fda3862..eae0da891bc 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -268,6 +268,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++;
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+)