[FFmpeg-cvslog] avformat/rpl: Check for number_of_chunks overflow

Michael Niedermayer git at videolan.org
Thu Oct 19 14:32:15 EEST 2023


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Sep 30 21:14:28 2023 +0200| [4c295a05a3a5acd304ea285e6b292e86e55c5c0f] | committer: Michael Niedermayer

avformat/rpl: Check for number_of_chunks overflow

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int')
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit b3c973acbecb879d4949fecdadd2fdfc08dea42b)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c295a05a3a5acd304ea285e6b292e86e55c5c0f
---

 libavformat/rpl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/rpl.c b/libavformat/rpl.c
index 635cd67824..d2f9d6ec13 100644
--- a/libavformat/rpl.c
+++ b/libavformat/rpl.c
@@ -240,6 +240,9 @@ static int rpl_read_header(AVFormatContext *s)
                "Video stream will be broken!\n", vst->codec->codec_tag);
 
     number_of_chunks = read_line_and_int(pb, &error);  // number of chunks in the file
+    if (number_of_chunks == INT_MAX)
+        return AVERROR_INVALIDDATA;
+
     // The number in the header is actually the index of the last chunk.
     number_of_chunks++;
 



More information about the ffmpeg-cvslog mailing list