aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-10-22 15:41:51 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2020-07-01 12:49:26 +0200
commit87b41afe27b457daeac98a02270063f6ec5afb28 (patch)
tree4564aad04b27852adc727b8e198f2c203a7064b3 /libavcodec
parent9fa00a6adeb1fd6879ddc71b85b61d6d41c2d65b (diff)
downloadffmpeg-87b41afe27b457daeac98a02270063f6ec5afb28.tar.gz
avcodec/twinvq: Check block_align
Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 97f778e9c55328e8b48f4b8b4171245e5f2232f6) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/twinvq.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 7b2e19e536..34ca1846b9 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx)
{
int ret;
TwinVQContext *tctx = avctx->priv_data;
+ int64_t frames_per_packet;
tctx->avctx = avctx;
avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
if (!avctx->block_align) {
avctx->block_align = tctx->frame_size + 7 >> 3;
- } else if (avctx->block_align * 8 < tctx->frame_size) {
- av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n",
- avctx->block_align * 8, tctx->frame_size);
+ }
+ frames_per_packet = avctx->block_align * 8LL / tctx->frame_size;
+ if (frames_per_packet <= 0) {
+ av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n",
+ avctx->block_align * (int64_t)8, tctx->frame_size);
return AVERROR_INVALIDDATA;
}
- tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size;
- if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
- av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n",
- tctx->frames_per_packet);
+ if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) {
+ av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n",
+ frames_per_packet);
return AVERROR_INVALIDDATA;
}
+ tctx->frames_per_packet = frames_per_packet;
tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT);
if (!tctx->fdsp) {