avformat/mvi: Check audio size for more overflows

Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-02-22 20:20:48 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-10-06 14:41:41 +0200
commit: ff0eb21c7522ceedc3e1d6836b5f15702ba3592c (patch)
tree: 6099b881dc18ddc86a5a61be0b1073a8f842e79a
parent: 767d4d152b66e2d2855e6ae7098ddf32d3aca076 (diff)
download: ffmpeg-ff0eb21c7522ceedc3e1d6836b5f15702ba3592c.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 2d4b11aa32..cfdbe5d273 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -120,6 +120,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         mvi->video_frame_size = (mvi->get_int)(pb);
         if (mvi->audio_size_left == 0)
             return AVERROR(EIO);
+        if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+            mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+            return AVERROR_INVALIDDATA;
+
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;
author	Michael Niedermayer <michael@niedermayer.cc>	2021-02-22 20:20:48 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-10-06 14:41:41 +0200
commit	ff0eb21c7522ceedc3e1d6836b5f15702ba3592c (patch)
tree	6099b881dc18ddc86a5a61be0b1073a8f842e79a
parent	767d4d152b66e2d2855e6ae7098ddf32d3aca076 (diff)
download	ffmpeg-ff0eb21c7522ceedc3e1d6836b5f15702ba3592c.tar.gz