From eaff5fcb7cde8d1614755269773d471d3a3d1bfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Dec 2017 22:42:05 +0100 Subject: [PATCH] avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks Fixes: signed integer overflow: -1698586465 + -551542752 cannot be represented in type 'int' Fixes: 4490/clusterfuzz-testcase-minimized-5210014592532480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vp9_superframe_split_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c index 6d6d8e664d..0d2523ebf7 100644 --- a/libavcodec/vp9_superframe_split_bsf.c +++ b/libavcodec/vp9_superframe_split_bsf.c @@ -59,7 +59,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) if (in->size >= idx_size && in->data[in->size - idx_size] == marker) { GetByteContext bc; - int total_size = 0; + int64_t total_size = 0; bytestream2_init(&bc, in->data + in->size + 1 - idx_size, nb_frames * length_size); @@ -70,7 +70,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) frame_size |= bytestream2_get_byte(&bc) << (j * 8); total_size += frame_size; - if (total_size > in->size - idx_size) { + if (frame_size < 0 || total_size > in->size - idx_size) { av_log(ctx, AV_LOG_ERROR, "Invalid frame size in a superframe: %d\n", frame_size); ret = AVERROR(EINVAL);