On 3/25/2024 11:30 PM, Michael Niedermayer wrote:
Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type
'int'
Fixes:
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/rtv1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c
index 06afe9e873c..807c8a34666 100644
--- a/libavcodec/rtv1.c
+++ b/libavcodec/rtv1.c
@@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
width = bytestream2_get_le32(&gb);
height = bytestream2_get_le32(&gb);
+ if (width > INT_MAX-4U || height > INT_MAX-4U)
Does this promote width and height to unsigned? If not, you may want to
cast them to unsigned (or check for < 0) and remove the then unnecessary
U to the 4.
+ return AVERROR_INVALIDDATA;
ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4));
if (ret < 0)
return ret;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
