diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-15 23:41:46 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-20 02:05:09 +0200 |
commit | a5feb7e9bd4742f3790e7cff691164899bc0e5c9 (patch) | |
tree | 148589e0d52beed942277ecf390890c3d37be206 | |
parent | 23d02b44655774de30aaead4ec5237f281ecbaea (diff) | |
download | ffmpeg-a5feb7e9bd4742f3790e7cff691164899bc0e5c9.tar.gz |
avcodec/truemotion2: Move skip computation after checks
Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int'
Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/truemotion2.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e6ae05f1d5..a463a925fd 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i /* get stream length in dwords */ bytestream2_init(&gb, buf, buf_size); len = bytestream2_get_be32(&gb); - skip = len * 4 + 4; if (len == 0) return 4; - if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) { + if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) { av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n"); return AVERROR_INVALIDDATA; } + skip = len * 4 + 4; toks = bytestream2_get_be32(&gb); if (toks & 1) { |