[FFmpeg-devel] [PATCH] avcodec/agm: Fix integer overflow with w/h
Michael Niedermayer
michael at niedermayer.cc
Fri Apr 5 13:51:36 EEST 2019
On Fri, Apr 05, 2019 at 09:54:51AM +0200, Paul B Mahol wrote:
> On 4/5/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to
> > an unsigned type to negate this value to itself
> > Fixes:
> > 13999/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5644405991538688
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/agm.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/agm.c b/libavcodec/agm.c
> > index 2d2092222d..cbd45e8095 100644
> > --- a/libavcodec/agm.c
> > +++ b/libavcodec/agm.c
> > @@ -535,11 +535,13 @@ static int decode_frame(AVCodecContext *avctx, void
> > *data,
> >
> > s->flags = 0;
> > w = bytestream2_get_le32(gbyte);
> > + h = bytestream2_get_le32(gbyte);
> > + if (w == INT32_MIN || h == INT32_MIN)
> > + return AVERROR_INVALIDDATA;
> > if (w < 0) {
> > w = -w;
> > s->flags |= 2;
> > }
> > - h = bytestream2_get_le32(gbyte);
> > if (h < 0) {
> > h = -h;
> > s->flags |= 1;
> > --
>
> OK
will apply
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I have never wished to cater to the crowd; for what I know they do not
approve, and what they approve I do not know. -- Epicurus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190405/9b95db7d/attachment.sig>
More information about the ffmpeg-devel
mailing list