virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
Code Issues Releases Activity

avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions

Browse Source 
Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int'
Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f457c0ad7f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2018-07-22 21:26:24 +02:00
parent ee5b42ce2f
commit c07d568603
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/diracdec.c
View File

@ -1242,7 +1242,10 @@ static int dirac_unpack_idwt_params(DiracContext *s)
else {
s->num_x = get_interleaved_ue_golomb(gb);
s->num_y = get_interleaved_ue_golomb(gb);
if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) {
if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX ||
s->num_x * (uint64_t)s->avctx->width > INT_MAX ||
s->num_y * (uint64_t)s->avctx->height > INT_MAX
) {
av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
s->num_x = s->num_y = 0;
return AVERROR_INVALIDDATA;