On Sat, May 30, 2020 at 02:09:42AM +0200, Hendrik Leppkes wrote: > On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer > <mich...@niedermayer.cc> wrote: > > > > Fixes: assertion failure > > Fixes: > > 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/hq_hqa.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c > > index eec2e980b3..8404e80ec8 100644 > > --- a/libavcodec/hq_hqa.c > > +++ b/libavcodec/hq_hqa.c > > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, > > void *data, > > int info_size; > > bytestream2_skip(&ctx->gbc, 4); > > info_size = bytestream2_get_le32(&ctx->gbc); > > - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > > + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < > > info_size) { > > av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", > > info_size); > > return AVERROR_INVALIDDATA; > > } > > -- > > bytestream2_get_le32 returns an unsigned type, wouldn't it be better > to make info_size unsigned and avoid the type cast and signed overflow > that results in this check failing?
The value is ultimatly passed into bytestream2_init() where its in int so it cannot be beyond the positive signed int range thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No great genius has ever existed without some touch of madness. -- Aristotle
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
