On Thu, Sep 22, 2022 at 03:01:05PM +0200, Anton Khirnov wrote: > Quoting Michael Niedermayer (2022-09-18 19:14:10) > > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' > > Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/westwood_vqa.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c > > index e3d2e2668c4..bd8df5e0b34 100644 > > --- a/libavformat/westwood_vqa.c > > +++ b/libavformat/westwood_vqa.c > > @@ -274,6 +274,8 @@ static int wsvqa_read_packet(AVFormatContext *s, > > return AVERROR(EIO); > > > > /* the decoder expects chunks to be 16-bit aligned */ > > + if (wsvqa->vqfl_chunk_size == INT_MAX) > > + return AVERROR_INVALIDDATA; > > IIUC this can only happen after the > wsvqa->vqfl_chunk_size > 3 * (1 << 20) > check above was triggered. Then it makes more sense to change that code > to check chunk_size before setting wsvqa->vqfl_chunk_size. i will post a new patch thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is what and why we do it that matters, not just one of them.