[FFmpeg-devel] [PR] avformat/icodec: Check size (PR #21754)

michaelni via ffmpeg-devel Fri, 13 Feb 2026 17:48:22 -0800

PR #21754 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21754
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21754.patch


Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 
'int'
Fixes: 
471688026/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5616495813263360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>


>From 77a367ccf68599e8c83778a93417edbdfb76c481 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Sat, 14 Feb 2026 01:39:22 +0100
Subject: [PATCH] avformat/icodec: Check size

Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 
'int'
Fixes: 
471688026/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5616495813263360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/icodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index b09d0060a6..4eddc8fa3c 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -113,7 +113,7 @@ static int read_header(AVFormatContext *s)
         avio_skip(pb, 5);
 
         ico->images[i].size   = avio_rl32(pb);
-        if (ico->images[i].size <= 0) {
+        if (ico->images[i].size <= 0 || ico->images[i].size > INT_MAX - 14) {
             av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", 
ico->images[i].size);
             return AVERROR_INVALIDDATA;
         }
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PR] avformat/icodec: Check size (PR #21754)

Reply via email to