[FFmpeg-devel] [PATCH 1/2] avformat/iff: Check data_size not overflowing int64
Michael Niedermayer
michael at niedermayer.cc
Mon Sep 28 21:20:46 EEST 2020
On Mon, Sep 28, 2020 at 08:30:50AM +1000, Peter Ross wrote:
> On Sun, Sep 27, 2020 at 10:20:52PM +0200, Michael Niedermayer wrote:
> > Fixes: Infinite loop
> > Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/iff.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavformat/iff.c b/libavformat/iff.c
> > index 7feb121cd0..04fe8be4eb 100644
> > --- a/libavformat/iff.c
> > +++ b/libavformat/iff.c
> > @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s)
> > data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb);
> > orig_pos = avio_tell(pb);
> >
> > + if (data_size >= INT64_MAX)
> > + return AVERROR_INVALIDDATA;
> > +
> > switch(chunk_id) {
> > case ID_VHDR:
> > st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
> > --
> > 2.17.1
>
> ok
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The day soldiers stop bringing you their problems is the day you have stopped
leading them. They have either lost confidence that you can help or concluded
you do not care. Either case is a failure of leadership. - Colin Powell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200928/e022995e/attachment.sig>
More information about the ffmpeg-devel
mailing list