[FFmpeg-devel] [PATCH 13/13] avformat/westwood_vqa: Check chunk size
Michael Niedermayer
michael at niedermayer.cc
Thu Sep 22 19:28:17 EEST 2022
On Thu, Sep 22, 2022 at 03:01:05PM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2022-09-18 19:14:10)
> > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/westwood_vqa.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
> > index e3d2e2668c4..bd8df5e0b34 100644
> > --- a/libavformat/westwood_vqa.c
> > +++ b/libavformat/westwood_vqa.c
> > @@ -274,6 +274,8 @@ static int wsvqa_read_packet(AVFormatContext *s,
> > return AVERROR(EIO);
> >
> > /* the decoder expects chunks to be 16-bit aligned */
> > + if (wsvqa->vqfl_chunk_size == INT_MAX)
> > + return AVERROR_INVALIDDATA;
>
> IIUC this can only happen after the
> wsvqa->vqfl_chunk_size > 3 * (1 << 20)
> check above was triggered. Then it makes more sense to change that code
> to check chunk_size before setting wsvqa->vqfl_chunk_size.
i will post a new patch
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is what and why we do it that matters, not just one of them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220922/88641e02/attachment.sig>
More information about the ffmpeg-devel
mailing list