From 085da59105ec4bedc35496461b0313e2f64a4eb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Feb 2026 01:39:22 +0100 Subject: [PATCH] avformat/icodec: Check size Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 'int' Fixes: 471688026/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5616495813263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 237d03717fc61331483a073a3f077f1dcb5b065b) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 128a495948..0444975266 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -114,7 +114,7 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 5); ico->images[i].size = avio_rl32(pb); - if (ico->images[i].size <= 0) { + if (ico->images[i].size <= 0 || ico->images[i].size > INT_MAX - 14) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); goto fail; }