[FFmpeg-cvslog] avformat/flvdec: don't skip backwards or over EOF

[Timo Rothenpieler]

ffmpeg | branch: master | Timo Rothenpieler <timo at rothenpieler.org> | Mon Jul 14 21:54:35 2025 +0200| [9015d595a115abad4428a61ac86002a06c90ce0b] | committer: Timo Rothenpieler

avformat/flvdec: don't skip backwards or over EOF

Skipping backwards (and even forwards) resets the EOF flag, and can thus
lead to infinite looping if the conditions are just right.

Fixes: Infinite loop
Fixes: 427538726/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-6582567304495104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Timo Rothenpieler <timo at rothenpieler.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9015d595a115abad4428a61ac86002a06c90ce0b
---

 libavformat/flvdec.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index b90ed34b1c..de5e688822 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -1860,8 +1860,16 @@ retry_duration:
 next_track:
         if (track_size) {
             av_log(s, AV_LOG_WARNING, "Track size mismatch: %d!\n", track_size);
-            avio_skip(s->pb, track_size);
-            size -= track_size;
+            if (!avio_feof(s->pb)) {
+                if (track_size > 0) {
+                    avio_skip(s->pb, track_size);
+                    size -= track_size;
+                } else {
+                    /* We have somehow read more than the track had to offer, leave and re-sync */
+                    ret = FFERROR_REDO;
+                    goto leave;
+                }
+            }
         }
 
         if (!size)