[FFmpeg-cvslog] avcodec/truemotion2: Move skip computation after checks
    Michael Niedermayer 
    git at videolan.org
       
    Wed Jul 19 17:53:49 EEST 2017
    
    
  
ffmpeg | branch: release/3.3 | Michael Niedermayer <michael at niedermayer.cc> | Thu Jun 15 23:41:46 2017 +0200| [1729101c44c093078f9b1e7466c16d06bbbc85bf] | committer: Michael Niedermayer
avcodec/truemotion2: Move skip computation after checks
Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int'
Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1729101c44c093078f9b1e7466c16d06bbbc85bf
---
 libavcodec/truemotion2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index e6ae05f1d5..a463a925fd 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     /* get stream length in dwords */
     bytestream2_init(&gb, buf, buf_size);
     len  = bytestream2_get_be32(&gb);
-    skip = len * 4 + 4;
 
     if (len == 0)
         return 4;
 
-    if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) {
+    if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) {
         av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n");
         return AVERROR_INVALIDDATA;
     }
+    skip = len * 4 + 4;
 
     toks = bytestream2_get_be32(&gb);
     if (toks & 1) {
    
    
More information about the ffmpeg-cvslog
mailing list