[FFmpeg-devel] [PATCH 3/4] avformat/moflex: Check pop_int() for overflow
Paul B Mahol
onemda at gmail.com
Mon Sep 21 01:32:14 EEST 2020
On Sun, Sep 20, 2020 at 10:26:07PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
> Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/moflex.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/moflex.c b/libavformat/moflex.c
> index 2111157408..937f63cb63 100644
> --- a/libavformat/moflex.c
> +++ b/libavformat/moflex.c
> @@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
>
> if (ret < 0)
> return ret;
> + if (ret > INT_MAX - value - value)
> + return AVERROR_INVALIDDATA;
> value = 2 * value + ret;
Generally acceptable.
More information about the ffmpeg-devel
mailing list