avformat/asfdec_f: Check name_len for overflow

Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-15 22:04:56 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-10 16:04:26 +0200
commit: 5dbeb9c4d6b0cd653f54a3e00086e07811589424 (patch)
tree: c1eef277dfaa60716f460ce6baf5e44341e5dbb6
parent: f62da97dfc82ac40eccbece9a4a646704e272ba7 (diff)
download: ffmpeg-5dbeb9c4d6b0cd653f54a3e00086e07811589424.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 8ae9f1c06f..41aca9e12c 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
         avio_rl32(pb);             // send time
         avio_rl32(pb);             // flags
         name_len = avio_rl32(pb);  // name length
+        if ((unsigned)name_len > INT_MAX / 2)
+            return AVERROR_INVALIDDATA;
         if ((ret = avio_get_str16le(pb, name_len * 2, name,
                                     sizeof(name))) < name_len)
             avio_skip(pb, name_len - ret);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-15 22:04:56 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-10 16:04:26 +0200
commit	5dbeb9c4d6b0cd653f54a3e00086e07811589424 (patch)
tree	c1eef277dfaa60716f460ce6baf5e44341e5dbb6
parent	f62da97dfc82ac40eccbece9a4a646704e272ba7 (diff)
download	ffmpeg-5dbeb9c4d6b0cd653f54a3e00086e07811589424.tar.gz