1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00

avcodec/exr: Fix undefined integer multiplication

Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long'
Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e67deaf86c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-09-14 00:14:56 +02:00
parent 65d6de52f1
commit be267aa08b

View File

@ -1033,12 +1033,14 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
}
if (ac_size > 0) {
unsigned long dest_len = ac_count * 2LL;
unsigned long dest_len;
GetByteContext agb = gb;
if (ac_count > 3LL * td->xsize * s->scan_lines_per_block)
return AVERROR_INVALIDDATA;
dest_len = ac_count * 2LL;
av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len);
if (!td->ac_data)
return AVERROR(ENOMEM);
@ -1062,12 +1064,14 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
}
{
unsigned long dest_len = dc_count * 2LL;
unsigned long dest_len;
GetByteContext agb = gb;
if (dc_count != dc_w * dc_h * 3)
return AVERROR_INVALIDDATA;
dest_len = dc_count * 2LL;
av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
if (!td->dc_data)
return AVERROR(ENOMEM);