avformat/cdxl: Fix integer overflow in intermediate

Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-08-31 00:20:39 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-12-06 20:30:57 +0100
commit: a6f50a53cfd1d9db355cf8068f80d24be6b17640 (patch)
tree: f73c6013466c4102096fd5381c33aeb4de1f9a68
parent: 2a306730a4a3897f5cae4468f314d3a47c215bcc (diff)
download: ffmpeg-a6f50a53cfd1d9db355cf8068f80d24be6b17640.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c
index f198bf50fa..807de9e37f 100644
--- a/libavformat/cdxl.c
+++ b/libavformat/cdxl.c
@@ -130,7 +130,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
-    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+    if (cdxl->header[19] == 0 ||
+        FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
         return AVERROR_INVALIDDATA;
     image_size   = FFALIGN(width, 16) * height * cdxl->header[19] / 8;
     video_size   = palette_size + image_size;
author	Michael Niedermayer <michael@niedermayer.cc>	2019-08-31 00:20:39 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-12-06 20:30:57 +0100
commit	a6f50a53cfd1d9db355cf8068f80d24be6b17640 (patch)
tree	f73c6013466c4102096fd5381c33aeb4de1f9a68
parent	2a306730a4a3897f5cae4468f314d3a47c215bcc (diff)
download	ffmpeg-a6f50a53cfd1d9db355cf8068f80d24be6b17640.tar.gz