ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Fri Jun 21 00:47:17 2019 +0200| [5f64f6058e0c23641a68ce7dfe47b1f55efd401c] | committer: Michael Niedermayer
avcodec/alsdec: Fix integer overflow with buffer number Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f64f6058e0c23641a68ce7dfe47b1f55efd401c --- libavcodec/alsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4b69775414..e38d7b21d3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1993,6 +1993,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate quantized parcor coefficient buffer num_buffers = sconf->mc_coding ? avctx->channels : 1; + if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation + return AVERROR_INVALIDDATA; ctx->quant_cof = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof)); ctx->lpc_cof = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof)); _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".