aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-06-15 23:41:46 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-06-20 02:05:09 +0200
commita5feb7e9bd4742f3790e7cff691164899bc0e5c9 (patch)
tree148589e0d52beed942277ecf390890c3d37be206
parent23d02b44655774de30aaead4ec5237f281ecbaea (diff)
downloadffmpeg-a5feb7e9bd4742f3790e7cff691164899bc0e5c9.tar.gz
avcodec/truemotion2: Move skip computation after checks
Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int' Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/truemotion2.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index e6ae05f1d5..a463a925fd 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -298,15 +298,15 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
/* get stream length in dwords */
bytestream2_init(&gb, buf, buf_size);
len = bytestream2_get_be32(&gb);
- skip = len * 4 + 4;
if (len == 0)
return 4;
- if (len >= INT_MAX / 4 - 1 || len < 0 || skip > buf_size) {
+ if (len >= INT_MAX / 4 - 1 || len < 0 || len * 4 + 4 > buf_size) {
av_log(ctx->avctx, AV_LOG_ERROR, "Error, invalid stream size.\n");
return AVERROR_INVALIDDATA;
}
+ skip = len * 4 + 4;
toks = bytestream2_get_be32(&gb);
if (toks & 1) {