On Thu, Sep 22, 2022 at 03:18:20PM +0200, Anton Khirnov wrote: > Quoting Michael Niedermayer (2022-09-18 19:14:07) > > Fixes: signed integer overflow: 119760682 - -2084600173 cannot be represented in type 'int' > > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6745781167587328 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/vividas.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/vividas.c b/libavformat/vividas.c > > index e9954f73ed0..22f61db7576 100644 > > --- a/libavformat/vividas.c > > +++ b/libavformat/vividas.c > > @@ -643,7 +643,9 @@ static int viv_read_packet(AVFormatContext *s, > > > > if (viv->current_audio_subpacket < viv->n_audio_subpackets) { > > AVStream *astream; > > - int size = viv->audio_subpackets[viv->current_audio_subpacket+1].start - viv->audio_subpackets[viv->current_audio_subpacket].start; > > + int64_t size = viv->audio_subpackets[viv->current_audio_subpacket+1].start - (int64_t)viv->audio_subpackets[viv->current_audio_subpacket].start; > > + if (size < 0 || size != (int)size) > > + return AVERROR_INVALIDDATA; > > These values should be checked in the loop where they are set. ok but then we fail before the actual problem is encountered i will send a patch doing that thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No human being will ever know the Truth, for even if they happen to say it by chance, they would not even known they had done so. -- Xenophanes