har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/utils: check for integer overflow in av_get_frame_filename2()

Browse Source 
Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int'
Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-08-15 22:52:42 +02:00
parent d0da49f368
commit 16e0f2f9b4
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavformat/utils.c
View File

@ -4745,8 +4745,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number
if (c == '%') { if (c == '%') {
do { do {
nd = 0; nd = 0;
while (av_isdigit(*p)) while (av_isdigit(*p)) {
if (nd >= INT_MAX / 10 - 255)
goto fail;
nd = nd * 10 + *p++ - '0'; nd = nd * 10 + *p++ - '0';
}
c = *p++; c = *p++;
} while (av_isdigit(c)); } while (av_isdigit(c));