avformat/asfdec_f: Check name_len for overflow

Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-15 22:04:56 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-11 21:23:48 +0200
commit: 2912ec590920c5febaa18e53b269559ad66e096f (patch)
tree: 307bcf5dc731707fe72220a8c7192d060b865737
parent: 6d69eaa0a64676aaa9599bb09576ac1e42a2e7ef (diff)
download: ffmpeg-2912ec590920c5febaa18e53b269559ad66e096f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index ae36aeab28..2964384430 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
         avio_rl32(pb);             // send time
         avio_rl32(pb);             // flags
         name_len = avio_rl32(pb);  // name length
+        if ((unsigned)name_len > INT_MAX / 2)
+            return AVERROR_INVALIDDATA;
         if ((ret = avio_get_str16le(pb, name_len * 2, name,
                                     sizeof(name))) < name_len)
             avio_skip(pb, name_len - ret);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-15 22:04:56 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-11 21:23:48 +0200
commit	2912ec590920c5febaa18e53b269559ad66e096f (patch)
tree	307bcf5dc731707fe72220a8c7192d060b865737
parent	6d69eaa0a64676aaa9599bb09576ac1e42a2e7ef (diff)
download	ffmpeg-2912ec590920c5febaa18e53b269559ad66e096f.tar.gz