James Almer: > On 3/25/2024 11:30 PM, Michael Niedermayer wrote: >> Fixes: signed integer overflow: 2147483647 + 4 cannot be represented >> in type 'int' >> Fixes: >> 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >> --- >> libavcodec/rtv1.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c >> index 06afe9e873c..807c8a34666 100644 >> --- a/libavcodec/rtv1.c >> +++ b/libavcodec/rtv1.c >> @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, >> AVFrame *p, >> width = bytestream2_get_le32(&gb); >> height = bytestream2_get_le32(&gb); >> + if (width > INT_MAX-4U || height > INT_MAX-4U) > > Does this promote width and height to unsigned? If not, you may want to > cast them to unsigned (or check for < 0) and remove the then unnecessary > U to the 4.
The right hand side of the comparisons is an unsigned; if width and height are ints (as i presume based upon the commit message), they get promoted to unsigned. > >> + return AVERROR_INVALIDDATA; >> ret = ff_set_dimensions(avctx, FFALIGN(width, 4), >> FFALIGN(height, 4)); >> if (ret < 0) >> return ret; > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
