Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int' Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/rtv1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c index 06afe9e873c..807c8a34666 100644 --- a/libavcodec/rtv1.c +++ b/libavcodec/rtv1.c @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, width = bytestream2_get_le32(&gb); height = bytestream2_get_le32(&gb); + if (width > INT_MAX-4U || height > INT_MAX-4U) + return AVERROR_INVALIDDATA; ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4)); if (ret < 0) return ret; -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
