aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2022-08-22 20:31:32 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2022-08-28 22:06:44 +0200
commitbcb46903040e5a5199281f4ad0a1fdaf750ebc37 (patch)
tree8072d86e3273c9389576b1fc817da098e2dc32c1 /libavformat
parent936f2d2634b57071579221d604062019028f8c9b (diff)
downloadffmpeg-bcb46903040e5a5199281f4ad0a1fdaf750ebc37.tar.gz
libavformat/iff: Check for overflow in body_end calculation
Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/iff.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c
index b37600605a..b8e8bffe03 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -501,6 +501,9 @@ static int iff_read_header(AVFormatContext *s)
case ID_DST:
case ID_MDAT:
iff->body_pos = avio_tell(pb);
+ if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX)
+ return AVERROR_INVALIDDATA;
+
iff->body_end = iff->body_pos + data_size;
iff->body_size = data_size;
if (chunk_id == ID_DST) {