From beb4bd4e3a52565eeeefb329ce20659671d16c22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:09:05 +0200 Subject: [PATCH] avformat/avidec: Fix io_fsize overflow Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long' Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 59c06ea25c..9ed167ae6a 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -438,7 +438,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0;