[FFmpeg-cvslog] avcodec/speexdec: Check frames_per_packet more completely
Michael Niedermayer
git at videolan.org
Sun Nov 14 18:53:36 EET 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Oct 15 00:01:06 2021 +0200| [866ad2e95262606b194cb2e79ce8a7e63c32ce06] | committer: Michael Niedermayer
avcodec/speexdec: Check frames_per_packet more completely
Fixes: signed integer overflow: 2105344 * 539033345 cannot be represented in type 'int'
Fixes: out of array write
Fixes: 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480
Fixes: 40293/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-5219910217760768
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=866ad2e95262606b194cb2e79ce8a7e63c32ce06
---
libavcodec/speexdec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 90e95f0785..e263d4c48c 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1423,7 +1423,9 @@ static int parse_speex_extradata(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
s->vbr = bytestream_get_le32(&buf);
s->frames_per_packet = bytestream_get_le32(&buf);
- if (s->frames_per_packet <= 0)
+ if (s->frames_per_packet <= 0 ||
+ s->frames_per_packet > 64 ||
+ s->frames_per_packet >= INT32_MAX / s->nb_channels / s->frame_size)
return AVERROR_INVALIDDATA;
s->extra_headers = bytestream_get_le32(&buf);
More information about the ffmpeg-cvslog
mailing list