aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2022-09-17 22:40:47 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2022-09-24 17:57:37 +0200
commit93db0f0740cacd64ae07b5e8606b70021e48d364 (patch)
treeeeff1c84b533c35db71d639c9177cb234c33d072 /libavformat
parent10453f5192869b63b071aee3962ae2c712f9bfd3 (diff)
downloadffmpeg-93db0f0740cacd64ae07b5e8606b70021e48d364.tar.gz
avformat/dxa: avoid bpc overflows
Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/dxa.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 16fbb08156..474b85270a 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s)
if(tag == MKTAG('d', 'a', 't', 'a')) break;
avio_skip(pb, fsize);
}
- c->bpc = (fsize + c->frames - 1) / c->frames;
- if(ast->codecpar->block_align)
+ c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames;
+ if(ast->codecpar->block_align) {
+ if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
+ return AVERROR_INVALIDDATA;
c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+ }
c->bytes_left = fsize;
c->wavpos = avio_tell(pb);
avio_seek(pb, c->vidpos, SEEK_SET);