[FFmpeg-cvslog] avcodec/exr: Check col/line for integer overflow
Michael Niedermayer
git at videolan.org
Sat Mar 13 22:52:39 EET 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Feb 1 21:24:50 2021 +0100| [312bcdbfc13227de9e4c3f9e38541b05c84a0639] | committer: Michael Niedermayer
avcodec/exr: Check col/line for integer overflow
Fixes: signed integer overflow: -2272 + -2147483360 cannot be represented in type 'int'
Fixes: 30009/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5005660322398208
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=312bcdbfc13227de9e4c3f9e38541b05c84a0639
---
libavcodec/exr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 8a714c1a3a..279cfe9412 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1214,6 +1214,11 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
return AVERROR_PATCHWELCOME;
}
+ if (tile_x && s->tile_attr.xSize + (int64_t)FFMAX(s->xmin, 0) >= INT_MAX / tile_x )
+ return AVERROR_INVALIDDATA;
+ if (tile_y && s->tile_attr.ySize + (int64_t)FFMAX(s->ymin, 0) >= INT_MAX / tile_y )
+ return AVERROR_INVALIDDATA;
+
line = s->ymin + s->tile_attr.ySize * tile_y;
col = s->tile_attr.xSize * tile_x;
More information about the ffmpeg-cvslog
mailing list