[FFmpeg-devel] [PATCH] avcodec/mjpegdec: Fixes runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'

wm4 nfxjfg at googlemail.com
Sun Mar 26 19:51:11 EEST 2017


On Sun, 26 Mar 2017 18:11:01 +0200
Michael Niedermayer <michael at niedermayer.cc> wrote:

> Fixes: 943/clusterfuzz-testcase-5114865297391616
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/mjpegdec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
> index f26e8a3f9a..e08b045fe7 100644
> --- a/libavcodec/mjpegdec.c
> +++ b/libavcodec/mjpegdec.c
> @@ -757,7 +757,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
>                                      uint16_t *quant_matrix,
>                                      int ss, int se, int Al, int *EOBRUN)
>  {
> -    int code, i, j, level, val, run;
> +    int code, i, j, val, run;
> +    SUINT level;
>  
>      if (*EOBRUN) {
>          (*EOBRUN)--;

Please make the type either signed or unsigned. Making it both
(depending on the debug level) just to make the fuzzer happy (or
something more complicated than that?) isn't a good idea. You probably
want to make it always unsigned?


More information about the ffmpeg-devel mailing list