[FFmpeg-cvslog] avformat/moflex: Check pop_int() for overflow
Michael Niedermayer
git at videolan.org
Mon Sep 21 13:03:02 EEST 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 20 21:23:38 2020 +0200| [dfbea7b210ac95e59446f9512b25688df44c108b] | committer: Michael Niedermayer
avformat/moflex: Check pop_int() for overflow
Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dfbea7b210ac95e59446f9512b25688df44c108b
---
libavformat/moflex.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/moflex.c b/libavformat/moflex.c
index 2111157408..937f63cb63 100644
--- a/libavformat/moflex.c
+++ b/libavformat/moflex.c
@@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
if (ret < 0)
return ret;
+ if (ret > INT_MAX - value - value)
+ return AVERROR_INVALIDDATA;
value = 2 * value + ret;
}
More information about the ffmpeg-cvslog
mailing list