diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-15 23:41:46 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-17 02:23:07 +0200 |
| commit | 39d9308b992a4d90349fd1b001f34b15fdb0ab02 (patch) | |
| tree | 3106da386da92d914e3447841a898396702dfc10 | |
| parent | d09ec6c27f853a47893a917992038d0b2c28359a (diff) | |
| download | ffmpeg-39d9308b992a4d90349fd1b001f34b15fdb0ab02.tar.gz | |
avcodec/truemotion2: Move skip computation after checks
Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int'
Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/truemotion2.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e6ae05f1d5..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { |