avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks

Fixes: signed integer overflow: -1698586465 + -551542752 cannot be represented in type 'int' Fixes: 4490/clusterfuzz-testcase-minimized-5210014592532480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-13 21:28:01 +02:00 · 2017-12-06 22:42:05 +01:00 · 2017-12-06 22:42:05 +01:00 · eaff5fcb7c
commit eaff5fcb7c
parent 1d0817d56b
1 changed files with 2 additions and 2 deletions
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@ -59,7 +59,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)

            if (in->size >= idx_size && in->data[in->size - idx_size] == marker) {
                GetByteContext bc;
-                int total_size = 0;
+                int64_t total_size = 0;

                bytestream2_init(&bc, in->data + in->size + 1 - idx_size,
                                 nb_frames * length_size);
@ -70,7 +70,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
                        frame_size |= bytestream2_get_byte(&bc) << (j * 8);

                    total_size += frame_size;
-                    if (total_size > in->size - idx_size) {
+                    if (frame_size < 0 || total_size > in->size - idx_size) {
                        av_log(ctx, AV_LOG_ERROR,
                               "Invalid frame size in a superframe: %d\n", frame_size);
                        ret = AVERROR(EINVAL);