avformat/asfdec_f: Check name_len for overflow

Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-15 22:04:56 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-20 15:33:13 +0200
commit: 0d088a47ca0243576078f109fff20617d1fac382 (patch)
tree: fd8b02b96b118544ef4d58299efaafb95883a3e2 /libavformat
parent: d1983628394e076001cc67d85656f9842b7282a3 (diff)
download: ffmpeg-0d088a47ca0243576078f109fff20617d1fac382.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 103155e9e7..ff9107d73f 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
         avio_rl32(pb);             // send time
         avio_rl32(pb);             // flags
         name_len = avio_rl32(pb);  // name length
+        if ((unsigned)name_len > INT_MAX / 2)
+            return AVERROR_INVALIDDATA;
         if ((ret = avio_get_str16le(pb, name_len * 2, name,
                                     sizeof(name))) < name_len)
             avio_skip(pb, name_len - ret);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-15 22:04:56 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-20 15:33:13 +0200
commit	0d088a47ca0243576078f109fff20617d1fac382 (patch)
tree	fd8b02b96b118544ef4d58299efaafb95883a3e2 /libavformat
parent	d1983628394e076001cc67d85656f9842b7282a3 (diff)
download	ffmpeg-0d088a47ca0243576078f109fff20617d1fac382.tar.gz