[FFmpeg-cvslog] avformat/utils: check for integer overflow in av_get_frame_filename2()

Wed Jan 20 22:35:16 EET 2021

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Aug 15 22:52:42 2020 +0200| [03c479ce236955fc329c7f9f4765ee1ec256bb73] | committer: Michael Niedermayer

avformat/utils: check for integer overflow in av_get_frame_filename2()

Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int'
Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=03c479ce236955fc329c7f9f4765ee1ec256bb73
---

 libavformat/utils.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index d193f9e85f..8ac6bc04b8 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4700,8 +4700,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number
         if (c == '%') {
             do {
                 nd = 0;
-                while (av_isdigit(*p))
+                while (av_isdigit(*p)) {
+                    if (nd >= INT_MAX / 10 - 255)
+                        goto fail;
                     nd = nd * 10 + *p++ - '0';
+                }
                 c = *p++;
             } while (av_isdigit(c));
 

