[FFmpeg-devel] [PATCH 3/4] avformat/moflex: Check pop_int() for overflow

Paul B Mahol onemda at gmail.com
Mon Sep 21 01:32:14 EEST 2020


On Sun, Sep 20, 2020 at 10:26:07PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
> Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/moflex.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/moflex.c b/libavformat/moflex.c
> index 2111157408..937f63cb63 100644
> --- a/libavformat/moflex.c
> +++ b/libavformat/moflex.c
> @@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
>  
>          if (ret < 0)
>              return ret;
> +        if (ret > INT_MAX - value - value)
> +            return AVERROR_INVALIDDATA;
>          value = 2 * value + ret;

Generally acceptable.


More information about the ffmpeg-devel mailing list