[FFmpeg-cvslog] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
Michael Niedermayer
git at videolan.org
Sun Oct 28 03:55:46 EEST 2018
ffmpeg | branch: release/3.4 | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul 22 21:42:16 2018 +0200| [9abcade734cb72a908264ca29f187554cdfde8c8] | committer: Michael Niedermayer
avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int'
Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9abcade734cb72a908264ca29f187554cdfde8c8
---
libavcodec/diracdec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 2ceb2234c6..04f54634e0 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -985,6 +985,10 @@ static int decode_lowdelay(DiracContext *s)
for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den
- slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den;
+ if (bytes >= INT_MAX || bytes*8 > bufsize) {
+ av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
+ return AVERROR_INVALIDDATA;
+ }
slices[slice_num].bytes = bytes;
slices[slice_num].slice_x = slice_x;
slices[slice_num].slice_y = slice_y;
More information about the ffmpeg-cvslog
mailing list