On Thu, Dec 23, 2021 at 10:32:12PM -0500, John-Paul Stewart wrote: > On 2021-12-23 16:15, Michael Niedermayer wrote: > > Fixes: division by zero > > Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/mvdec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c > > index 1a5012e5076..390f6ba4de8 100644 > > --- a/libavformat/mvdec.c > > +++ b/libavformat/mvdec.c > > @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx) > > avpriv_request_sample(avctx, "Audio compression (format %i)", v); > > } > > > > + if (bytes_per_sample <= 0) > > + return AVERROR_INVALIDDATA; > > + > > bytes_per_sample is uint32_t so it can never be less than zero. > > bytes_per_sample will be zero for movie files with no audio, so that is > not necessarily invalid data. i can change it to AVERROR_PATCHWELCOME but this codepath has already created a audio stream so the code at least belives at this point that there is audio and it will crash a few lines later > > I can't offer a better suggestion at the moment, though. I'll see if > can come up with something, unless one of you guys gets to it first. ok, ill apply this unless i see another fix first as it fixes the crash and in fact in this path requests for samples where already printed also thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The misfortune of the wise is better than the prosperity of the fool. -- Epicurus