diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-09-20 21:23:38 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-09-21 11:56:54 +0200 |
| commit | dfbea7b210ac95e59446f9512b25688df44c108b (patch) | |
| tree | e06ff87d551a1de34b1855658b8689ff3103ac67 /libavformat/moflex.c | |
| parent | 7170d342e597a39f48d1bedb3a2382f25a324155 (diff) | |
| download | ffmpeg-dfbea7b210ac95e59446f9512b25688df44c108b.tar.gz | |
avformat/moflex: Check pop_int() for overflow
Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/moflex.c')
| -rw-r--r-- | libavformat/moflex.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/moflex.c b/libavformat/moflex.c index 2111157408..937f63cb63 100644 --- a/libavformat/moflex.c +++ b/libavformat/moflex.c @@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n) if (ret < 0) return ret; + if (ret > INT_MAX - value - value) + return AVERROR_INVALIDDATA; value = 2 * value + ret; } |