[FFmpeg-devel] [PATCH 3/3] avformat/rmdec: Check codec_length without overflow
Michael Niedermayer
michael at niedermayer.cc
Tue Feb 16 19:57:29 EET 2021
On Mon, Feb 15, 2021 at 09:38:44PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int'
> > Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/rmdec.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
> > index 521b9d0e8c..613fb407df 100644
> > --- a/libavformat/rmdec.c
> > +++ b/libavformat/rmdec.c
> > @@ -223,7 +223,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
> > if (version == 5)
> > avio_r8(pb);
> > codecdata_length = avio_rb32(pb);
> > - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){
> > + if(codecdata_length < 0 || codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){
> > av_log(s, AV_LOG_ERROR, "codecdata_length too large\n");
> > return -1;
> > }
> >
> The first of these checks can be avoided by making codecdata_length
> unsigned.
will apply unsigned style check
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210216/e3216e1c/attachment.sig>
More information about the ffmpeg-devel
mailing list