diff options
author | Tristan Matthews <tmatth@videolan.org> | 2019-11-10 03:45:29 +0300 |
---|---|---|
committer | Tristan Matthews <tmatth@videolan.org> | 2019-11-10 04:04:50 +0300 |
commit | 7db954e9f9c8644b8060a5a412cbec6495ccd39a (patch) | |
tree | 46f30d60dfcc6f9598f31d5fde50fa0a19544066 | |
parent | 8d6eea3d7882c3dccfd53a5798baac92d729aad5 (diff) |
speexdec_fuzzer: avoid integer overflow
Fixes ubsan error in fuzzer:
"runtime error: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'"
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex
-rw-r--r-- | contrib/oss-fuzz/speexdec_fuzzer.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc index 029b69e..259dd59 100644 --- a/contrib/oss-fuzz/speexdec_fuzzer.cc +++ b/contrib/oss-fuzz/speexdec_fuzzer.cc @@ -232,7 +232,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size ogg_stream_pagein(&os, &og); page_granule = ogg_page_granulepos(&og); page_nb_packets = ogg_page_packets(&og); - if (page_granule>0 && frame_size) + if (page_granule>0 && frame_size && (last_granule > 0 || INT64_MAX + last_granule > page_granule)) { /* FIXME: shift the granule values if --force-* is specified */ int64_t a = page_nb_packets*granule_frame_size*(int64_t)nframes; |