MrBesen/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avformat/mpc8: check for size overflow in mpc8_get_chunk_header()

Browse Source 
Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-03-17 21:58:53 +01:00
parent c1fe1114bc
commit 6cc65d3d67
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavformat/mpc8.c
View File

@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size)
pos = avio_tell(pb);
*tag = avio_rl16(pb);
*size = ffio_read_varlen(pb);
*size -= avio_tell(pb) - pos;
pos -= avio_tell(pb);
if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) {
*size = -1;
} else
*size += pos;
}
static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)