avformat/avidec: fix position overflow in avi_load_index()

Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-04-23 19:11:03 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-12 11:22:04 +0200
commit: 89fd36adfe82e0a3a42461ed8a252c637c170da2 (patch)
tree: 80a973c1475c854097562b11d03be0f8cfbb8c87
parent: d15d67e6ccc2fe3b5ff0afb1addceb9c6b222781 (diff)
download: ffmpeg-89fd36adfe82e0a3a42461ed8a252c637c170da2.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index f47e436f86..46f24a8e55 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1745,7 +1745,10 @@ static int avi_load_index(AVFormatContext *s)
         size = avio_rl32(pb);
         if (avio_feof(pb))
             break;
-        next = avio_tell(pb) + size + (size & 1);
+        next = avio_tell(pb);
+        if (next < 0 || next > INT64_MAX - size - (size & 1))
+            break;
+        next += size + (size & 1LL);
 
         if (tag == MKTAG('i', 'd', 'x', '1') &&
             avi_read_idx1(s, size) >= 0) {
author	Michael Niedermayer <michael@niedermayer.cc>	2021-04-23 19:11:03 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-12 11:22:04 +0200
commit	89fd36adfe82e0a3a42461ed8a252c637c170da2 (patch)
tree	80a973c1475c854097562b11d03be0f8cfbb8c87
parent	d15d67e6ccc2fe3b5ff0afb1addceb9c6b222781 (diff)
download	ffmpeg-89fd36adfe82e0a3a42461ed8a252c637c170da2.tar.gz