avformat/jpegxl_anim_dec: Check that size fits within argument

Fixes: out of array access Fixes: 61991/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5524679648215040 Fixes: 62181/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5504964305485824 Fixes: 62214/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-4782972823535616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-09-10 02:28:05 +02:00 · 2023-09-10 02:28:05 +02:00 · d2e8974699
commit d2e8974699
parent 00a837c70c
1 changed files with 2 additions and 0 deletions
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@ -152,6 +152,8 @@ static int jpegxl_anim_read_packet(AVFormatContext *s, AVPacket *pkt)
    size = avio_size(pb);
    if (size < 0)
        return size;
+    if (size > INT_MAX)
+        return AVERROR(EDOM);
    if (size == 0)
        size = 4096;