On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer <mich...@niedermayer.cc> wrote: > > Fixes: assertion failure > Fixes: > 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/hq_hqa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c > index eec2e980b3..8404e80ec8 100644 > --- a/libavcodec/hq_hqa.c > +++ b/libavcodec/hq_hqa.c > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, > void *data, > int info_size; > bytestream2_skip(&ctx->gbc, 4); > info_size = bytestream2_get_le32(&ctx->gbc); > - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < > info_size) { > av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", > info_size); > return AVERROR_INVALIDDATA; > } > --
bytestream2_get_le32 returns an unsigned type, wouldn't it be better to make info_size unsigned and avoid the type cast and signed overflow that results in this check failing? - Hendrik _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".