[FFmpeg-cvslog] avformat/mpc8: check for size overflow in mpc8_get_chunk_header()
Michael Niedermayer
git at videolan.org
Thu Apr 1 00:10:46 EEST 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Mar 17 21:58:53 2021 +0100| [6cc65d3d6760cfb08c5a9e57d4306d88428e18d0] | committer: Michael Niedermayer
avformat/mpc8: check for size overflow in mpc8_get_chunk_header()
Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6cc65d3d6760cfb08c5a9e57d4306d88428e18d0
---
libavformat/mpc8.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index ff7da2ef55..b12a417f63 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size)
pos = avio_tell(pb);
*tag = avio_rl16(pb);
*size = ffio_read_varlen(pb);
- *size -= avio_tell(pb) - pos;
+ pos -= avio_tell(pb);
+ if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) {
+ *size = -1;
+ } else
+ *size += pos;
}
static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
More information about the ffmpeg-cvslog
mailing list