From patchwork Mon Oct 19 15:59:52 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 23090
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 5E40F44807F
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 19 Oct 2020 19:01:04 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4BB7768B619;
	Mon, 19 Oct 2020 19:01:04 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe06-2.mx.upcmail.net
 (vie01a-dmta-pe06-2.mx.upcmail.net [84.116.36.15])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B655968B497
 for <ffmpeg-devel@ffmpeg.org>; Mon, 19 Oct 2020 19:00:56 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kUXai-000233-0F
 for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 18:00:56 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id UXZjk52dyIr7GUXZjkd92s; Mon, 19 Oct 2020 17:59:55 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=NZNCtQD6c9wZftA5qAIA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 19 Oct 2020 17:59:52 +0200
Message-Id: <20201019155955.27725-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfNpj5Z4vVLN7Ifv3gRvqplj9pOSGbhaj1DDl7x/QEjbAjPMcQVtCXvl6Zc7YdDRxp01eVxDVjuWZMAynswYDAL9v/mVtectOXLveSE/NbBVHDsKeS7i2
 hv31mJsBsCRsdJe5l+O6/dJXsZif2WQ5ogWUyUdJPb5OzAvXClgBtpj0
Subject: [FFmpeg-devel] [PATCH 1/4] avformat/genh: Check block_align
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: infinite loop
Fixes: 26440/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5632134020333568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/genh.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/genh.c b/libavformat/genh.c
index 61adf49964..544d063aa4 100644
--- a/libavformat/genh.c
+++ b/libavformat/genh.c
@@ -144,6 +144,9 @@ static int genh_read_header(AVFormatContext *s)
         }
     }
 
+    if (st->codecpar->block_align <= 0)
+        return AVERROR_INVALIDDATA;
+
     avio_skip(s->pb, start_offset - avio_tell(s->pb));
 
     avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate);

From patchwork Mon Oct 19 15:59:53 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 23092
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 2ED3944807F
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 19 Oct 2020 19:01:06 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1C05868B6D5;
	Mon, 19 Oct 2020 19:01:06 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B8A1368B5BB
 for <ffmpeg-devel@ffmpeg.org>; Mon, 19 Oct 2020 19:00:56 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kUXai-0008Gp-0E
 for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 18:00:56 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id UXZkk52f7Ir7GUXZkkd93d; Mon, 19 Oct 2020 17:59:56 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=3T9qwGnPNqKbp0u6qbYA:9 a=chCAXNz2YO8wZNhL:21
 a=jLHSaZTz2xczM32-:21 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22
 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 19 Oct 2020 17:59:53 +0200
Message-Id: <20201019155955.27725-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201019155955.27725-1-michael@niedermayer.cc>
References: <20201019155955.27725-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfNpj5Z4vVLN7Ifv3gRvqplj9pOSGbhaj1DDl7x/QEjbAjPMcQVtCXvl6Zc7YdDRxp01eVxDVjuWZMAynswYDAL9v/mVtectOXLveSE/NbBVHDsKeS7i2
 hv31mJsBsCRsdJe5l+O6/dJXsZif2WQ5ogWUyUdJPb5OzAvXClgBtpj0
Subject: [FFmpeg-devel] [PATCH 2/4] avformat/wtvdec: Check dir_length
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: Infinite loop
Fixes: 26445/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5125558331244544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/wtvdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 83f510b92f..77908e6392 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -273,6 +273,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
                    "bad filename length, remaining directory entries ignored\n");
             break;
         }
+        if (dir_length == 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "bad dir length, remaining directory entries ignored\n");
+            break;
+        }
         if (48 + (int64_t)name_size > buf_end - buf) {
             av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
             break;

From patchwork Mon Oct 19 15:59:54 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 23089
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 41A9744807F
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 19 Oct 2020 19:01:03 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0D1C668B5FF;
	Mon, 19 Oct 2020 19:01:03 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
 (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B37E668AE7C
 for <ffmpeg-devel@ffmpeg.org>; Mon, 19 Oct 2020 19:00:56 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kUXai-0005Px-0F
 for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 18:00:56 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id UXZkk52fNIr7GUXZkkd93l; Mon, 19 Oct 2020 17:59:56 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=31wDzDo4lpyPA05lQLEA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 19 Oct 2020 17:59:54 +0200
Message-Id: <20201019155955.27725-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201019155955.27725-1-michael@niedermayer.cc>
References: <20201019155955.27725-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfNpj5Z4vVLN7Ifv3gRvqplj9pOSGbhaj1DDl7x/QEjbAjPMcQVtCXvl6Zc7YdDRxp01eVxDVjuWZMAynswYDAL9v/mVtectOXLveSE/NbBVHDsKeS7i2
 hv31mJsBsCRsdJe5l+O6/dJXsZif2WQ5ogWUyUdJPb5OzAvXClgBtpj0
Subject: [FFmpeg-devel] [PATCH 3/4] avformat/jacosubdec: Use 64bit inside
	get_shift()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int'
Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/jacosubdec.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index 3414eb3938..e70ceeaafd 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -136,6 +136,7 @@ static int get_shift(int timeres, const char *buf)
 {
     int sign = 1;
     int a = 0, b = 0, c = 0, d = 0;
+    int64_t ret;
 #define SSEP "%*1[.:]"
     int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
 #undef SSEP
@@ -145,13 +146,16 @@ static int get_shift(int timeres, const char *buf)
         a = FFABS(a);
     }
 
+    ret = 0;
     switch (n) {
-    case 4: return sign * ((a*3600 + b*60 + c) * timeres + d);
-    case 3: return sign * ((         a*60 + b) * timeres + c);
-    case 2: return sign * ((                a) * timeres + b);
+    case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d);
+    case 3: ret = sign * ((         (int64_t)a*60 + b) * timeres + c);
+    case 2: ret = sign * ((                (int64_t)a) * timeres + b);
     }
+    if ((int)ret != ret)
+        ret = 0;
 
-    return 0;
+    return ret;
 }
 
 static int jacosub_read_header(AVFormatContext *s)

From patchwork Mon Oct 19 15:59:55 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 23091
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 3D21444807F
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon, 19 Oct 2020 19:01:05 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 29C2168B674;
	Mon, 19 Oct 2020 19:01:05 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
 (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BB6C068B5C8
 for <ffmpeg-devel@ffmpeg.org>; Mon, 19 Oct 2020 19:00:56 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kUXai-0005Ps-0F
 for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 18:00:56 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id UXZkk52fbIr7GUXZkkd93v; Mon, 19 Oct 2020 17:59:56 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=bk4MbfdO8Y-9-VuAge4A:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 19 Oct 2020 17:59:55 +0200
Message-Id: <20201019155955.27725-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201019155955.27725-1-michael@niedermayer.cc>
References: <20201019155955.27725-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfNpj5Z4vVLN7Ifv3gRvqplj9pOSGbhaj1DDl7x/QEjbAjPMcQVtCXvl6Zc7YdDRxp01eVxDVjuWZMAynswYDAL9v/mVtectOXLveSE/NbBVHDsKeS7i2
 hv31mJsBsCRsdJe5l+O6/dJXsZif2WQ5ogWUyUdJPb5OzAvXClgBtpj0
Subject: [FFmpeg-devel] [PATCH 4/4] avformat/mvi: Check count for overflow
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: left shift of 21378748 by 10 places cannot be represented in type 'int'
Fixes: 26449/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5680463374712832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mvi.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index ff5c08bf51..06c9cfe3f0 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -123,6 +123,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;
+        if ((int64_t)count << MVI_FRAC_BITS > INT_MAX)
+            return AVERROR_INVALIDDATA;
         if ((ret = av_get_packet(pb, pkt, count)) < 0)
             return ret;
         pkt->stream_index = MVI_AUDIO_STREAM_INDEX;