diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-08-15 22:52:42 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-02-02 14:18:21 +0100 |
| commit | 16e0f2f9b4f69910fdf58ffbef52ea4f19b3f61f (patch) | |
| tree | 15d91f91899a7cb8160757a76d6be1385d599485 /libavformat/utils.c | |
| parent | d0da49f3684a7ff5ab04269fd3ca0a7c69843547 (diff) | |
| download | ffmpeg-16e0f2f9b4f69910fdf58ffbef52ea4f19b3f61f.tar.gz | |
avformat/utils: check for integer overflow in av_get_frame_filename2()
Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int'
Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/utils.c')
| -rw-r--r-- | libavformat/utils.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c index ba8aaebfb7..8c3b87c637 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4745,8 +4745,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); |