avformat/mvi: Check audio size for more overflows

Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer <[email protected]>
author: Michael Niedermayer <[email protected]> 2021-02-22 20:20:48 +0100
committer: Michael Niedermayer <[email protected]> 2021-09-10 16:04:26 +0200
commit: 2f3efc996a84b6a1a545b45ad00806035c0ea772 (patch)
tree: faef9c6cc8b8b545df30a80f2e1a92c221fcef29
parent: bd4060a718599dc8359a33c60bb29f58792c7754 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 0b53473671..6aad6cb86a 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -119,6 +119,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         mvi->video_frame_size = (mvi->get_int)(pb);
         if (mvi->audio_size_left == 0)
             return AVERROR(EIO);
+        if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+            mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+            return AVERROR_INVALIDDATA;
+
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;
author	Michael Niedermayer <[email protected]>	2021-02-22 20:20:48 +0100
committer	Michael Niedermayer <[email protected]>	2021-09-10 16:04:26 +0200
commit	2f3efc996a84b6a1a545b45ad00806035c0ea772 (patch)
tree	faef9c6cc8b8b545df30a80f2e1a92c221fcef29
parent	bd4060a718599dc8359a33c60bb29f58792c7754 (diff)