[FFmpeg-cvslog] avformat/cafdec: Check that nb_frasmes fits within 64bit

Michael Niedermayer git at videolan.org
Fri Oct 21 23:51:48 EEST 2022


ffmpeg | branch: release/3.2 | Michael Niedermayer <michael at niedermayer.cc> | Sat Sep 17 21:48:43 2022 +0200| [2dacd939ace7ff2ec41c4b81a412bb7bd3f7ccd7] | committer: Michael Niedermayer

avformat/cafdec: Check that nb_frasmes fits within 64bit

Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2dacd939ace7ff2ec41c4b81a412bb7bd3f7ccd7
---

 libavformat/cafdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 3d9c48eaf8..5452273414 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -335,7 +335,7 @@ static int read_header(AVFormatContext *s)
         return AVERROR_INVALIDDATA;
 
     if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) {
-        if (caf->data_size > 0)
+        if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet)
             st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet;
     } else if (st->nb_index_entries && st->duration > 0) {
         st->codecpar->bit_rate = st->codecpar->sample_rate * caf->data_size * 8 /



More information about the ffmpeg-cvslog mailing list