aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2022-10-05 21:46:42 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2022-10-20 21:42:20 +0200
commit557aa7772e6cd646baa7bfd0046ac7e37442cff3 (patch)
tree4d256f0dc85f0175f05671a63abe9ac66985d848
parenteb9153b4a73f4d6e313206588eb7c03d1f4c12b8 (diff)
downloadffmpeg-557aa7772e6cd646baa7bfd0046ac7e37442cff3.tar.gz
avformat/asfdec_o: Check offset before adding index entry
Fixes: signed integer overflow: 9223372036854550860 + 530259564 cannot be represented in type 'long' Fixes: 49093/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-4697179192688640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavformat/asfdec_o.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index e837ca62e7..2b407c016f 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -888,6 +888,8 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g)
av_log(s, AV_LOG_ERROR, "Skipping failed in asf_read_simple_index.\n");
return offset;
}
+ if (asf->first_packet_offset > INT64_MAX - asf->packet_size * pkt_num)
+ return AVERROR_INVALIDDATA;
if (prev_pkt_num != pkt_num) {
av_add_index_entry(st, asf->first_packet_offset + asf->packet_size *
pkt_num, av_rescale(interval, i, 10000),