[FFmpeg-devel] [PATCH 5/5] avcodec/cfhd: check peak.offset so it stays within the 32bit range

Sun Nov 8 04:42:30 EET 2020

Michael Niedermayer:
> Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int'
> Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/cfhd.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
> index a2b9c7c76a..e3fbfa4b91 100644
> --- a/libavcodec/cfhd.c
> +++ b/libavcodec/cfhd.c
> @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
>              s->peak.level   = 0;
>          } else if (tag == -PeakLevel && s->peak.offset) {
>              s->peak.level = data;
> +            if (s->peak.offset < INT_MIN + 4) {
> +                ret = AVERROR_INVALIDDATA;
> +                goto end;
> +            }
>              bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
>          } else
>              av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
> 
Is this peak.offset actually intended to be signed? And if so wouldn't
it make more sense to actually check that the buffer contains the seek
target?

- Andreas