[FFmpeg-devel] [PATCH 3/4] avformat/moflex: Check pop_int() for overflow
Michael Niedermayer
michael at niedermayer.cc
Sun Sep 20 23:26:07 EEST 2020
Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/moflex.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/moflex.c b/libavformat/moflex.c
index 2111157408..937f63cb63 100644
--- a/libavformat/moflex.c
+++ b/libavformat/moflex.c
@@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
if (ret < 0)
return ret;
+ if (ret > INT_MAX - value - value)
+ return AVERROR_INVALIDDATA;
value = 2 * value + ret;
}
--
2.17.1
More information about the ffmpeg-devel
mailing list