[FFmpeg-cvslog] avformat/asf: Check picsize

Tue Sep 24 17:40:01 EEST 2024

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Sep 19 19:56:48 2024 +0200| [fde8637fda8e5ac4ccfa4b137a7467e16cd631b6] | committer: Michael Niedermayer

avformat/asf: Check picsize

Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int'
Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fde8637fda8e5ac4ccfa4b137a7467e16cd631b6
---

 libavformat/asf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/asf.c b/libavformat/asf.c
index a71337aa3c..5c118d2dbe 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -90,8 +90,8 @@ static int asf_read_picture(AVFormatContext *s, int len)
         return 0;
     }
 
-    if (picsize >= len) {
-        av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d >= %d.\n",
+    if (picsize >= len || ((int64_t)len - picsize) * 2 + 1 > INT_MAX) {
+        av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d  (len = %d).\n",
                picsize, len);
         return AVERROR_INVALIDDATA;
     }

