aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2020-03-15 17:26:51 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2020-03-21 20:55:27 +0100
commitc8140fe7324f264faacf7395b27e12531d1f13f7 (patch)
treef80726539eb517f3575cffa4d1f73fa4af21d02f
parent559ce9c8454fda5fe7fc0debf94cbcfbba33c66a (diff)
downloadffmpeg-c8140fe7324f264faacf7395b27e12531d1f13f7.tar.gz
avformat/asfdec_f: Fix overflow check in get_tag()
Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int' Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov <anton@khirnov.net> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavformat/asfdec_f.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 57dc3b09b9..f0cb353587 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
int64_t off = avio_tell(s->pb);
#define LEN 22
- if ((unsigned)len >= (UINT_MAX - LEN) / 2)
- return;
+ av_assert0((unsigned)len < (INT_MAX - LEN) / 2);
if (!asf->export_xmp && !strncmp(key, "xmp", 3))
goto finish;
@@ -712,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size)
value_type = avio_rl16(pb); /* value_type */
value_len = avio_rl32(pb);
+ if (value_len < 0 || value_len > UINT16_MAX)
+ return AVERROR_INVALIDDATA;
+
name_len_utf8 = 2*name_len_utf16 + 1;
name = av_malloc(name_len_utf8);
if (!name)
@@ -857,11 +859,20 @@ static int asf_read_header(AVFormatContext *s)
return ret;
av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size);
av_packet_unref(&pkt);
+
len= avio_rl32(pb);
+ if (len > UINT16_MAX)
+ return AVERROR_INVALIDDATA;
get_tag(s, "ASF_Protection_Type", -1, len, 32);
+
len= avio_rl32(pb);
+ if (len > UINT16_MAX)
+ return AVERROR_INVALIDDATA;
get_tag(s, "ASF_Key_ID", -1, len, 32);
+
len= avio_rl32(pb);
+ if (len > UINT16_MAX)
+ return AVERROR_INVALIDDATA;
get_tag(s, "ASF_License_URL", -1, len, 32);
} else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) {
av_log(s, AV_LOG_WARNING,