[FFmpeg-cvslog] libavformat/iff: Check for overflow in body_end calculation
Michael Niedermayer
git at videolan.org
Fri Oct 28 22:17:14 EEST 2022
ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Mon Aug 22 20:31:32 2022 +0200| [a87ad0dba0ce0c152cb4005f13731827383d3e75] | committer: Michael Niedermayer
libavformat/iff: Check for overflow in body_end calculation
Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long'
Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a87ad0dba0ce0c152cb4005f13731827383d3e75
---
libavformat/iff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 4f6bc3edda..813f76f0e9 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -435,6 +435,9 @@ static int iff_read_header(AVFormatContext *s)
case ID_DSD:
case ID_MDAT:
iff->body_pos = avio_tell(pb);
+ if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX)
+ return AVERROR_INVALIDDATA;
+
iff->body_end = iff->body_pos + data_size;
iff->body_size = data_size;
break;
More information about the ffmpeg-cvslog
mailing list