avformat/cdxl: Fix integer overflow in intermediate
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 30 Aug 2019 22:20:39 +0000 (00:20 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 15 Sep 2019 22:53:18 +0000 (00:53 +0200)
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/cdxl.c

index 9aacaddb40f5c7bcdc0a22759babeb54f50a5a81..e675b2c8f10118f6431344b431479447a9b2fd08 100644 (file)
@@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
-    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+    if (cdxl->header[19] == 0 ||
+        FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
         return AVERROR_INVALIDDATA;
     if (format == 0x20)
         image_size = width * height * cdxl->header[19] / 8;