aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2021-09-14 00:14:56 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2021-10-05 23:19:39 +0200
commitbe267aa08bfb764156aa28c4e49e14cfedf1ea94 (patch)
treede73f730e4b742d83010ce73f3fab382bdb77528
parent65d6de52f12875475399a601d0a9ffbc51b32bda (diff)
downloadffmpeg-be267aa08bfb764156aa28c4e49e14cfedf1ea94.tar.gz
avcodec/exr: Fix undefined integer multiplication
Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long' Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e67deaf86cb1a79054c4f6dcfcaab9b2c60eb8a4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/exr.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 21b3b179ab..49ba7fd6de 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1033,12 +1033,14 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
}
if (ac_size > 0) {
- unsigned long dest_len = ac_count * 2LL;
+ unsigned long dest_len;
GetByteContext agb = gb;
if (ac_count > 3LL * td->xsize * s->scan_lines_per_block)
return AVERROR_INVALIDDATA;
+ dest_len = ac_count * 2LL;
+
av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len);
if (!td->ac_data)
return AVERROR(ENOMEM);
@@ -1062,12 +1064,14 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
}
{
- unsigned long dest_len = dc_count * 2LL;
+ unsigned long dest_len;
GetByteContext agb = gb;
if (dc_count != dc_w * dc_h * 3)
return AVERROR_INVALIDDATA;
+ dest_len = dc_count * 2LL;
+
av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
if (!td->dc_data)
return AVERROR(ENOMEM);