[FFmpeg-cvslog] avutil/avsscanf: Add () to avoid integer overflow in scanexp()
Michael Niedermayer
git at videolan.org
Wed Jul 1 12:48:40 EEST 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Jun 18 11:56:53 2020 +0200| [42b28565aa852b98d95d8d02f7b0781999f9d533] | committer: Michael Niedermayer
avutil/avsscanf: Add () to avoid integer overflow in scanexp()
Fixes: signed integer overflow: 2147483610 + 52 cannot be represented in type 'int'
Fixes: 23260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-5187871274434560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42b28565aa852b98d95d8d02f7b0781999f9d533
---
libavutil/avsscanf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c
index 1c85412fd4..850c117940 100644
--- a/libavutil/avsscanf.c
+++ b/libavutil/avsscanf.c
@@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok)
return LLONG_MIN;
}
for (x=0; c-'0'<10U && x<INT_MAX/10; c = shgetc(f))
- x = 10*x + c-'0';
+ x = 10*x + (c-'0');
for (y=x; c-'0'<10U && y<LLONG_MAX/100; c = shgetc(f))
- y = 10*y + c-'0';
+ y = 10*y + (c-'0');
for (; c-'0'<10U; c = shgetc(f));
shunget(f);
return neg ? -y : y;
More information about the ffmpeg-cvslog
mailing list