speexdec_fuzzer: avoid integer overflow

Fixes ubsan error in fuzzer: "runtime error: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'" Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex
author: Tristan Matthews <tmatth@videolan.org> 2019-11-10 03:45:29 +0300
committer: Tristan Matthews <tmatth@videolan.org> 2019-11-10 04:04:50 +0300
commit: 7db954e9f9c8644b8060a5a412cbec6495ccd39a (patch)
tree: 46f30d60dfcc6f9598f31d5fde50fa0a19544066
parent: 8d6eea3d7882c3dccfd53a5798baac92d729aad5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc
index 029b69e..259dd59 100644
--- a/contrib/oss-fuzz/speexdec_fuzzer.cc
+++ b/contrib/oss-fuzz/speexdec_fuzzer.cc
@@ -232,7 +232,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size
          ogg_stream_pagein(&os, &og);
          page_granule = ogg_page_granulepos(&og);
          page_nb_packets = ogg_page_packets(&og);
-         if (page_granule>0 && frame_size)
+         if (page_granule>0 && frame_size && (last_granule > 0 || INT64_MAX + last_granule > page_granule))
          {
             /* FIXME: shift the granule values if --force-* is specified */
             int64_t a = page_nb_packets*granule_frame_size*(int64_t)nframes;
author	Tristan Matthews <tmatth@videolan.org>	2019-11-10 03:45:29 +0300
committer	Tristan Matthews <tmatth@videolan.org>	2019-11-10 04:04:50 +0300
commit	7db954e9f9c8644b8060a5a412cbec6495ccd39a (patch)
tree	46f30d60dfcc6f9598f31d5fde50fa0a19544066
parent	8d6eea3d7882c3dccfd53a5798baac92d729aad5 (diff)