[FFmpeg-cvslog] avformat/tedcaptionsdec: Check for overflow in parse_int()
Michael Niedermayer
git at videolan.org
Fri Jan 29 20:37:26 EET 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Nov 7 21:11:32 2020 +0100| [b0f8586ca9853ab3d324ccd3c42bad4375000b0a] | committer: Michael Niedermayer
avformat/tedcaptionsdec: Check for overflow in parse_int()
Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long'
Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0f8586ca9853ab3d324ccd3c42bad4375000b0a
---
libavformat/tedcaptionsdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c
index 6c25d602d6..c15aeea06c 100644
--- a/libavformat/tedcaptionsdec.c
+++ b/libavformat/tedcaptionsdec.c
@@ -172,6 +172,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result)
if ((unsigned)*cur_byte - '0' > 9)
return AVERROR_INVALIDDATA;
while (BETWEEN(*cur_byte, '0', '9')) {
+ if (val > INT_MAX/10 - (*cur_byte - '0'))
+ return AVERROR_INVALIDDATA;
val = val * 10 + (*cur_byte - '0');
next_byte(pb, cur_byte);
}
More information about the ffmpeg-cvslog
mailing list