diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2021-04-23 19:11:03 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-07-31 22:08:17 +0200 |
| commit | 527821a2dd6f19d9a4d2abe05833346ae86c66c6 (patch) | |
| tree | 7f10ff477336cd280e8f7faccb91b50946025e58 /libavformat | |
| parent | f034c2e36acb7d0c11dc1849ddf8a67bde44eff4 (diff) | |
| download | ffmpeg-527821a2dd6f19d9a4d2abe05833346ae86c66c6.tar.gz | |
avformat/avidec: fix position overflow in avi_load_index()
Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/avidec.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 2e261c94e6..5d695b9839 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1776,7 +1776,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { |