avformat/ifv: Check that total frames do not overflow

Fixes: Infinite loop Fixes: 26392/clusterfuzz-testcase-minimized-ffmpeg_dem_GIF_fuzzer-5713658237419520 Fixes: 26435/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6548251853193216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-17 23:29:42 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-24 19:11:12 +0200
commit: b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b (patch)
tree: 689dc2fa06d862b88bdf94734f8eb76335709a65
parent: 4e9514e99bf77bb3d1437e992c3e08ca7d1ebc46 (diff)
download: ffmpeg-b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b.tar.gz
1 files changed, 11 insertions, 3 deletions
diff --git a/libavformat/ifv.c b/libavformat/ifv.c
index f95e9b0e52..4e904fa828 100644
--- a/libavformat/ifv.c
+++ b/libavformat/ifv.c
@@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
     }
 
     if (!ev) {
+        uint64_t vframes, aframes;
         if (ifv->is_audio_present && !ea) {
             /*read new video and audio indexes*/
 
@@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
             ifv->next_audio_index = ifv->total_aframes;
 
             avio_skip(s->pb, 0x1c);
-            ifv->total_vframes += avio_rl32(s->pb);
-            ifv->total_aframes += avio_rl32(s->pb);
+            vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb);
+            aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb);
+            if (vframes > INT_MAX || aframes > INT_MAX)
+                return AVERROR_INVALIDDATA;
+            ifv->total_vframes = vframes;
+            ifv->total_aframes = aframes;
             avio_skip(s->pb, 0xc);
 
             if (avio_feof(s->pb))
@@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt)
             ifv->next_video_index = ifv->total_vframes;
 
             avio_skip(s->pb, 0x1c);
-            ifv->total_vframes += avio_rl32(s->pb);
+            vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb);
+            if (vframes > INT_MAX)
+                return AVERROR_INVALIDDATA;
+            ifv->total_vframes = vframes;
             avio_skip(s->pb, 0x10);
 
             if (avio_feof(s->pb))
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-17 23:29:42 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-24 19:11:12 +0200
commit	b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b (patch)
tree	689dc2fa06d862b88bdf94734f8eb76335709a65
parent	4e9514e99bf77bb3d1437e992c3e08ca7d1ebc46 (diff)
download	ffmpeg-b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b.tar.gz