virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-02-20 07:48:15 +02:00
Code Issues Releases Activity

avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'

Browse Source 
Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-05-17 16:45:46 +02:00
parent d2f43c48f9
commit f0a24f2f77
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/aacdec.c
View File

@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
if (ctx->frame_length_type == 0) {
int mux_slot_length = 0;
do {
if (get_bits_left(gb) < 8)
return AVERROR_INVALIDDATA;
tmp = get_bits(gb, 8);
mux_slot_length += tmp;
} while (tmp == 255);
@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
}
if (latmctx->audio_mux_version_A == 0) {
int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
return AVERROR_INVALIDDATA;
} else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {