aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-08-31 00:20:39 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-11-11 20:18:47 +0100
commitc87ccb476f9a70c96448310ea066f61efd789bf2 (patch)
tree7310cc43733d2e1c09e9f165838d9f38ab3cd081 /libavformat
parentc9173f878729fa3ac01ec0fd320b9ad2da41d5fb (diff)
downloadffmpeg-c87ccb476f9a70c96448310ea066f61efd789bf2.tar.gz
avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/cdxl.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c
index 94a063c813..bd87c8d5d6 100644
--- a/libavformat/cdxl.c
+++ b/libavformat/cdxl.c
@@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
height = AV_RB16(&cdxl->header[16]);
palette_size = AV_RB16(&cdxl->header[20]);
audio_size = AV_RB16(&cdxl->header[22]);
- if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+ if (cdxl->header[19] == 0 ||
+ FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
return AVERROR_INVALIDDATA;
if (format == 0x20)
image_size = width * height * cdxl->header[19] / 8;