diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-12-03 00:54:46 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-10 16:04:26 +0200 |
| commit | 8493ee2af5237ae9606c385a98a88deab6995990 (patch) | |
| tree | bcba63f6b2d38c7527bfd89527a184a150e817e3 | |
| parent | 95da75eb99b6060564f7ba50700df581a872f34f (diff) | |
| download | ffmpeg-8493ee2af5237ae9606c385a98a88deab6995990.tar.gz | |
avformat/rmdec: Reorder operations to avoid overflow
Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int'
Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/rmdec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6136bec727..8414db9a7e 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -716,9 +716,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre av_log(s, AV_LOG_WARNING, "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, |