falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

avcodec/truemotion2: Move skip computation after checks 

Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int'
Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3c716682a8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
tags/n3.3.3
Michael Niedermayer 8 years ago
parent
15cc151709
commit
1729101c44
1 changed files with 2 additions and 2 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -2
      libavcodec/truemotion2.c

+ 2
- 2
libavcodec/truemotion2.c View File

@@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
/* get stream length in dwords */ /* get stream length in dwords */
bytestream2_init(&gb, buf, buf_size); bytestream2_init(&gb, buf, buf_size);
len = bytestream2_get_be32(&gb); len = bytestream2_get_be32(&gb);
skip = len * 4 + 4;


if (len == 0) if (len == 0)
return 4; return 4;


if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) {
if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) {
av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
skip = len * 4 + 4;


toks = bytestream2_get_be32(&gb); toks = bytestream2_get_be32(&gb);
if (toks & 1) { if (toks & 1) {


Write Preview
Loading…
Cancel
Save