diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2019-08-31 00:20:39 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-09-16 00:53:18 +0200 |
commit | 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac (patch) | |
tree | 66ccb749e8ee3f85e72b9c79b50a5f3445821c1d /libavformat/cdxl.c | |
parent | 9fac243744c6c0ce2a2cf23550bc48b736661379 (diff) | |
download | ffmpeg-5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac.tar.gz |
avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/cdxl.c')
-rw-r--r-- | libavformat/cdxl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 9aacaddb40..e675b2c8f1 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); - if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + if (cdxl->header[19] == 0 || + FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) return AVERROR_INVALIDDATA; if (format == 0x20) image_size = width * height * cdxl->header[19] / 8; |