Fixes: signed integer overflow: 2040812214 + 255101526 cannot be represented in 
type 'int'
Fixes: 
51323/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-4791481067503616

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/bonk.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 409694f710d..32f7c9b9bdb 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -187,6 +187,9 @@ static int intlist_read(BonkContext *s, int *buf, int 
entries, int base_2_part)
             if (!dominant)
                 n_zeros += steplet;
 
+            if (step > INT_MAX/9*8)
+                return AVERROR_INVALIDDATA;
+
             step += step / 8;
         } else if (steplet > 0) {
             int actual_run = read_uint_max(s, steplet - 1);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to