[FFmpeg-cvslog] avformat/cdxl: Fix integer overflow in intermediate
Michael Niedermayer
git at videolan.org
Mon Sep 16 02:00:30 EEST 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Aug 31 00:20:39 2019 +0200| [5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac] | committer: Michael Niedermayer
avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac
---
libavformat/cdxl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c
index 9aacaddb40..e675b2c8f1 100644
--- a/libavformat/cdxl.c
+++ b/libavformat/cdxl.c
@@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
height = AV_RB16(&cdxl->header[16]);
palette_size = AV_RB16(&cdxl->header[20]);
audio_size = AV_RB16(&cdxl->header[22]);
- if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+ if (cdxl->header[19] == 0 ||
+ FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
return AVERROR_INVALIDDATA;
if (format == 0x20)
image_size = width * height * cdxl->header[19] / 8;
More information about the ffmpeg-cvslog
mailing list