mirror of https://git.ffmpeg.org/ffmpeg.git
avformat/ape: more bits in size for less overflows
Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int'
Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e5f6707a7b
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
a162f52438
commit
b928cd3bda
|
@ -42,8 +42,8 @@
|
|||
|
||||
typedef struct APEFrame {
|
||||
int64_t pos;
|
||||
int64_t size;
|
||||
int nblocks;
|
||||
int size;
|
||||
int skip;
|
||||
int64_t pts;
|
||||
} APEFrame;
|
||||
|
@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx)
|
|||
|
||||
av_log(s, AV_LOG_DEBUG, "\nFrames\n\n");
|
||||
for (i = 0; i < ape_ctx->totalframes; i++)
|
||||
av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i,
|
||||
av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i,
|
||||
ape_ctx->frames[i].pos, ape_ctx->frames[i].size,
|
||||
ape_ctx->frames[i].nblocks);
|
||||
|
||||
|
@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s)
|
|||
AVStream *st;
|
||||
uint32_t tag;
|
||||
int i;
|
||||
int total_blocks, final_size = 0;
|
||||
int total_blocks;
|
||||
int64_t final_size = 0;
|
||||
int64_t pts, file_size;
|
||||
|
||||
/* Skip any leading junk such as id3v2 tags */
|
||||
|
@ -403,7 +404,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)
|
|||
|
||||
if (ape->frames[ape->currentframe].size <= 0 ||
|
||||
ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
|
||||
av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
|
||||
av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n",
|
||||
ape->frames[ape->currentframe].size);
|
||||
ape->currentframe++;
|
||||
return AVERROR(EIO);
|
||||
|
|
Loading…
Reference in New Issue