[FFmpeg-devel] [PATCH 1/4] avformat/wvdec: Check rate for overflow

Michael Niedermayer michael at niedermayer.cc
Mon Sep 21 12:55:03 EEST 2020


On Mon, Sep 21, 2020 at 12:43:22AM +0200, Paul B Mahol wrote:
> On Sun, Sep 20, 2020 at 10:26:05PM +0200, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 6000 * -2147483648 cannot be represented in type 'int'
> > Fixes: 25700/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6578316302352384
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavformat/wvdec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c
> > index b9fc6a59f9..b7d8dbbe78 100644
> > --- a/libavformat/wvdec.c
> > +++ b/libavformat/wvdec.c
> > @@ -192,7 +192,7 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb)
> >              if (id & 0x40)
> >                  avio_skip(pb, 1);
> >          }
> > -        if (rate == -1) {
> > +        if (rate == -1 || rate * (uint64_t)rate_x >= INT_MAX) {
> >              av_log(ctx, AV_LOG_ERROR,
> 
> AFAIK rate_x should be unsigned type from start.
> rate_x can be max (1U << 31)
> Otherwise patch is acceptable.

will apply with rate_x type also changed to unsigned

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200921/a5e2fc87/attachment.sig>


More information about the ffmpeg-devel mailing list