avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions

Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int'
Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2018-07-22 21:26:24 +02:00
parent 462d1be6de
commit f457c0ad7f
1 changed files with 4 additions and 1 deletions

View File

@ -1243,7 +1243,10 @@ static int dirac_unpack_idwt_params(DiracContext *s)
else { else {
s->num_x = get_interleaved_ue_golomb(gb); s->num_x = get_interleaved_ue_golomb(gb);
s->num_y = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb);
if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX ||
s->num_x * (uint64_t)s->avctx->width > INT_MAX ||
s->num_y * (uint64_t)s->avctx->height > INT_MAX
) {
av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
s->num_x = s->num_y = 0; s->num_x = s->num_y = 0;
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;