Fixes: signed integer overflow: 2105344 * 539033345 cannot be represented in type 'int' Fixes: out of array write Fixes: 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/speexdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 4c50f54f27b..05f084de2e5 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext *avctx, return AVERROR_INVALIDDATA; s->vbr = bytestream_get_le32(&buf); s->frames_per_packet = bytestream_get_le32(&buf); - if (s->frames_per_packet <= 0) + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX / s->frame_size) return AVERROR_INVALIDDATA; s->extra_headers = bytestream_get_le32(&buf); -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".