[FFmpeg-cvslog] avformat/vividas: Check that value from ffio_read_varlen() does not overflow
Michael Niedermayer
git at videolan.org
Sat Aug 3 18:43:42 EEST 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jul 20 22:41:08 2019 +0200| [97ae13ba240f0f9f24140992dd65c1523faf7fee] | committer: Michael Niedermayer
avformat/vividas: Check that value from ffio_read_varlen() does not overflow
Fixes: signed integer overflow: -1241665686 + -1340629419 cannot be represented in type 'int'
Fixes: 15922/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5692826442006528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=97ae13ba240f0f9f24140992dd65c1523faf7fee
---
libavformat/vividas.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 1895c75858..c3d3cf548c 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -374,8 +374,11 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
ffio_read_varlen(pb); // len_3
num_data = avio_r8(pb);
for (j = 0; j < num_data; j++) {
- data_len[j] = ffio_read_varlen(pb);
- xd_size += data_len[j];
+ uint64_t len = ffio_read_varlen(pb);
+ if (len > INT_MAX/2 - xd_size)
+ return AVERROR_INVALIDDATA;
+ data_len[j] = len;
+ xd_size += len;
}
st->codecpar->extradata_size = 64 + xd_size + xd_size / 255;
More information about the ffmpeg-cvslog
mailing list