diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-11-03 19:21:18 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-02-02 14:18:21 +0100 |
| commit | 7e35903d42f890bc6102c548834abc04c472b5d6 (patch) | |
| tree | f97c1329f9ae6f52d9b42c562c002e7919222327 /libavcodec/utils.c | |
| parent | 6102e7ca968690ff3c691a0d2d3a7535b9bcbe53 (diff) | |
| download | ffmpeg-7e35903d42f890bc6102c548834abc04c472b5d6.tar.gz | |
avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int'
Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/utils.c')
| -rw-r--r-- | libavcodec/utils.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 236cdf1feb..5dcfb8a506 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1670,7 +1670,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: |