diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-10-17 23:29:42 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-10 16:04:26 +0200 |
| commit | e583c69816187ae852ad228b7a9bb08ef1d144c6 (patch) | |
| tree | bcd15424622332971b1c5389d8ecfc356f6b58ee | |
| parent | 4d5d82314fd857d11db18fa1bbf45af484dad98e (diff) | |
| download | ffmpeg-e583c69816187ae852ad228b7a9bb08ef1d144c6.tar.gz | |
avformat/ifv: Check that total frames do not overflow
Fixes: Infinite loop
Fixes: 26392/clusterfuzz-testcase-minimized-ffmpeg_dem_GIF_fuzzer-5713658237419520
Fixes: 26435/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6548251853193216
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/ifv.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/libavformat/ifv.c b/libavformat/ifv.c index f95e9b0e52..4e904fa828 100644 --- a/libavformat/ifv.c +++ b/libavformat/ifv.c @@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) } if (!ev) { + uint64_t vframes, aframes; if (ifv->is_audio_present && !ea) { /*read new video and audio indexes*/ @@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_audio_index = ifv->total_aframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); - ifv->total_aframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX || aframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; + ifv->total_aframes = aframes; avio_skip(s->pb, 0xc); if (avio_feof(s->pb)) @@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_video_index = ifv->total_vframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; avio_skip(s->pb, 0x10); if (avio_feof(s->pb)) |