diff options
| author | Michael Niedermayer <[email protected]> | 2017-02-23 22:33:16 +0100 |
|---|---|---|
| committer | Michael Niedermayer <[email protected]> | 2017-05-20 03:41:33 +0200 |
| commit | e5c39ad0e9004cfe726250b67f3d0e4b389b9726 (patch) | |
| tree | 47b296ddc042b08088783f5f83b92f8b0844d838 | |
| parent | a50259df791e2b997382dde98a18ae6243d0d852 (diff) | |
avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows
This is not necessarily specific to fuzzed files
Fixes: Multiple integer overflows
Fixes: 656/clusterfuzz-testcase-6463814516080640
Fixes: 658/clusterfuzz-testcase-6691260146384896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 76ba09d18245a2a41dc5f93a60fd00cdf358cb1f)
Signed-off-by: Michael Niedermayer <[email protected]>
| -rw-r--r-- | libavcodec/mpeg4videodec.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index c114814457..e12625f554 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -383,6 +383,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + return AVERROR_PATCHWELCOME; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } |