avformat/tedcaptionsdec: Check for overflow in parse_int()

Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b0f8586ca9853ab3d324ccd3c42bad4375000b0a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-11-07 21:11:32 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-02-02 14:18:21 +0100
commit: 9e1fede2315c5ab0ca87290eaff7facfe7bbc43c (patch)
tree: 607b8d7ee1d7b3d83914370e0bd247c405a1377b
parent: 220eaaf6b6ca08b5a5bf211be62a7cfdd1a42271 (diff)
download: ffmpeg-9e1fede2315c5ab0ca87290eaff7facfe7bbc43c.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c
index 3255819e77..8b44528982 100644
--- a/libavformat/tedcaptionsdec.c
+++ b/libavformat/tedcaptionsdec.c
@@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result)
     if ((unsigned)*cur_byte - '0' > 9)
         return AVERROR_INVALIDDATA;
     while (BETWEEN(*cur_byte, '0', '9')) {
+        if (val > INT_MAX/10 - (*cur_byte - '0'))
+            return AVERROR_INVALIDDATA;
         val = val * 10 + (*cur_byte - '0');
         next_byte(pb, cur_byte);
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2020-11-07 21:11:32 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-02-02 14:18:21 +0100
commit	9e1fede2315c5ab0ca87290eaff7facfe7bbc43c (patch)
tree	607b8d7ee1d7b3d83914370e0bd247c405a1377b
parent	220eaaf6b6ca08b5a5bf211be62a7cfdd1a42271 (diff)
download	ffmpeg-9e1fede2315c5ab0ca87290eaff7facfe7bbc43c.tar.gz