diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2019-11-08 17:28:27 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-07-01 12:49:26 +0200 |
| commit | 44f4ee27abb3439a7617ca14462b841144e66ca7 (patch) | |
| tree | 15abaeee4e63e9eb3a2fec0f04eceea7f8c38de8 | |
| parent | e3bcbaa7c92dec44610ce39101942af856f59bf8 (diff) | |
| download | ffmpeg-44f4ee27abb3439a7617ca14462b841144e66ca7.tar.gz | |
avcodec/vmdaudio: Check chunk counts to avoid integer overflow
Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int'
Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47d963335eb2c36c0e6615d7971c762458e813dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/vmdaudio.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index e8c8a064c7..c7826fa3ce 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -179,6 +179,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* drop incomplete chunks */ buf_size = audio_chunks * s->chunk_size; + if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align) + return AVERROR_INVALIDDATA; + /* get output buffer */ frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; |