avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()

Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-01-12 21:17:18 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-10 16:04:26 +0200
commit: 891209076d34f3a2d2963e28a14b82405dc5de93 (patch)
tree: 690f1456bb4e225ca487dc941d84aed1b51a58db
parent: 2382d586898a7950dec39b8c5780d24d05b033a5 (diff)
download: ffmpeg-891209076d34f3a2d2963e28a14b82405dc5de93.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 8e7f044ce9..32a7571300 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t
     ff_asf_guid guid;
     int ret;
 
+    if (offset > INT64_MAX - size)
+        return AVERROR_INVALIDDATA;
+
     while (avio_tell(pb) <= offset + size) {
         if (avio_tell(pb) == asf->offset)
             break;
author	Michael Niedermayer <michael@niedermayer.cc>	2021-01-12 21:17:18 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-10 16:04:26 +0200
commit	891209076d34f3a2d2963e28a14b82405dc5de93 (patch)
tree	690f1456bb4e225ca487dc941d84aed1b51a58db
parent	2382d586898a7950dec39b8c5780d24d05b033a5 (diff)
download	ffmpeg-891209076d34f3a2d2963e28a14b82405dc5de93.tar.gz