diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-11-03 19:21:18 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-10-09 22:02:20 +0200 |
| commit | e37c5f6d6add1ce4e3e69de0f99375c97c40da82 (patch) | |
| tree | 8488c3ae8769556e8fbdeb9f2785d83b2760e11b | |
| parent | 95671d383f52908f4bcfcd8c7b4dc1c76ed3f8dc (diff) | |
| download | ffmpeg-e37c5f6d6add1ce4e3e69de0f99375c97c40da82.tar.gz | |
avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK
Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int'
Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/utils.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/utils.c b/libavcodec/utils.c index bc406282f7..adc9607c62 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3669,7 +3669,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: |