diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2022-08-22 20:31:32 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2022-08-28 23:07:06 +0200 |
commit | 1cd07b178b02614b1f13e8b9f15c13edf3dbdf90 (patch) | |
tree | 2f24957290b6e7f9596d60fc4dba1d6fa4680a18 | |
parent | 59afc50ab4a547ef20320170b7c784fc3b9fb277 (diff) | |
download | ffmpeg-1cd07b178b02614b1f13e8b9f15c13edf3dbdf90.tar.gz |
libavformat/iff: Check for overflow in body_end calculation
Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long'
Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavformat/iff.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c index b37600605a..b8e8bffe03 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -501,6 +501,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { |