[FFmpeg-cvslog] avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks
Michael Niedermayer
git at videolan.org
Sun Dec 10 21:16:43 EET 2017
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Dec 6 22:42:05 2017 +0100| [eaff5fcb7cde8d1614755269773d471d3a3d1bfc] | committer: Michael Niedermayer
avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks
Fixes: signed integer overflow: -1698586465 + -551542752 cannot be represented in type 'int'
Fixes: 4490/clusterfuzz-testcase-minimized-5210014592532480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eaff5fcb7cde8d1614755269773d471d3a3d1bfc
---
libavcodec/vp9_superframe_split_bsf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c
index 6d6d8e664d..0d2523ebf7 100644
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@@ -59,7 +59,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
if (in->size >= idx_size && in->data[in->size - idx_size] == marker) {
GetByteContext bc;
- int total_size = 0;
+ int64_t total_size = 0;
bytestream2_init(&bc, in->data + in->size + 1 - idx_size,
nb_frames * length_size);
@@ -70,7 +70,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
frame_size |= bytestream2_get_byte(&bc) << (j * 8);
total_size += frame_size;
- if (total_size > in->size - idx_size) {
+ if (frame_size < 0 || total_size > in->size - idx_size) {
av_log(ctx, AV_LOG_ERROR,
"Invalid frame size in a superframe: %d\n", frame_size);
ret = AVERROR(EINVAL);
More information about the ffmpeg-cvslog
mailing list