ffmpeg | branch: release/3.4 | Michael Niedermayer <mich...@niedermayer.cc> | Sun Jul 22 21:26:24 2018 +0200| [a594ce26ce3842a1a52558bcfc3f8f57fd5c6f45] | committer: Michael Niedermayer
avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int' Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a594ce26ce3842a1a52558bcfc3f8f57fd5c6f45 --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 376732c310..2ceb2234c6 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1242,7 +1242,10 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb); - if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || + s->num_x * (uint64_t)s->avctx->width > INT_MAX || + s->num_y * (uint64_t)s->avctx->height > INT_MAX + ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; return AVERROR_INVALIDDATA; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog