| Message ID | 20240326023056.20548-4-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | d188a867302fd745b5980a90a0b5cad9016c477c |
| Headers | show |
| Series | [FFmpeg-devel,1/7] avcodec/hcadec: do not set hfr_group_count to invalid values | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
On 3/25/2024 11:30 PM, Michael Niedermayer wrote: > Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int' > Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/rtv1.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c > index 06afe9e873c..807c8a34666 100644 > --- a/libavcodec/rtv1.c > +++ b/libavcodec/rtv1.c > @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, > > width = bytestream2_get_le32(&gb); > height = bytestream2_get_le32(&gb); > + if (width > INT_MAX-4U || height > INT_MAX-4U) Does this promote width and height to unsigned? If not, you may want to cast them to unsigned (or check for < 0) and remove the then unnecessary U to the 4. > + return AVERROR_INVALIDDATA; > ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4)); > if (ret < 0) > return ret;
James Almer: > On 3/25/2024 11:30 PM, Michael Niedermayer wrote: >> Fixes: signed integer overflow: 2147483647 + 4 cannot be represented >> in type 'int' >> Fixes: >> 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> --- >> libavcodec/rtv1.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c >> index 06afe9e873c..807c8a34666 100644 >> --- a/libavcodec/rtv1.c >> +++ b/libavcodec/rtv1.c >> @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, >> AVFrame *p, >> width = bytestream2_get_le32(&gb); >> height = bytestream2_get_le32(&gb); >> + if (width > INT_MAX-4U || height > INT_MAX-4U) > > Does this promote width and height to unsigned? If not, you may want to > cast them to unsigned (or check for < 0) and remove the then unnecessary > U to the 4. The right hand side of the comparisons is an unsigned; if width and height are ints (as i presume based upon the commit message), they get promoted to unsigned. > >> + return AVERROR_INVALIDDATA; >> ret = ff_set_dimensions(avctx, FFALIGN(width, 4), >> FFALIGN(height, 4)); >> if (ret < 0) >> return ret; > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c index 06afe9e873c..807c8a34666 100644 --- a/libavcodec/rtv1.c +++ b/libavcodec/rtv1.c @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, width = bytestream2_get_le32(&gb); height = bytestream2_get_le32(&gb); + if (width > INT_MAX-4U || height > INT_MAX-4U) + return AVERROR_INVALIDDATA; ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4)); if (ret < 0) return ret;
Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int' Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rtv1.c | 2 ++ 1 file changed, 2 insertions(+)