PR #22267 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22267 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22267.patch
Fixes: signed integer overflow: 256 * 8396351 cannot be represented in type 'int' Fixes: 482692578/clusterfuzz-testcase-minimized-ffmpeg_dem_SWF_fuzzer-5865521093607424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From 779356c68ef51c8317c8278c41496a58b784cd4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 22 Feb 2026 17:30:32 +0100 Subject: [PATCH] avcodec/utils: fix duration computation based on frame_bytes Fixes: signed integer overflow: 256 * 8396351 cannot be represented in type 'int' Fixes: 482692578/clusterfuzz-testcase-minimized-ffmpeg_dem_SWF_fuzzer-5865521093607424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/utils.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d89e886a08..c2968754e7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -641,16 +641,16 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (frame_bytes > 0) { /* calc from frame_bytes only */ - if (id == AV_CODEC_ID_TRUESPEECH) - return 240 * (frame_bytes / 32); - if (id == AV_CODEC_ID_NELLYMOSER) - return 256 * (frame_bytes / 64); - if (id == AV_CODEC_ID_RA_144) - return 160 * (frame_bytes / 20); - if (id == AV_CODEC_ID_APTX) - return 4 * (frame_bytes / 4); - if (id == AV_CODEC_ID_APTX_HD) - return 4 * (frame_bytes / 6); + int64_t d = INT64_MIN; + switch(id) { + case AV_CODEC_ID_TRUESPEECH : d = 15LL * (frame_bytes / 2); break; + case AV_CODEC_ID_NELLYMOSER : d = 4LL * frame_bytes; break; + case AV_CODEC_ID_RA_144 : d = 8LL * frame_bytes; break; + case AV_CODEC_ID_APTX : d = frame_bytes; break; + case AV_CODEC_ID_APTX_HD : d = 2 * (frame_bytes / 3); break; + } + if (d > INT64_MIN) + return ((int)d == d && d > 0) ? d : 0; if (bps > 0) { /* calc from frame_bytes and bits_per_coded_sample */ -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
