diff mbox series

[FFmpeg-devel,3/3] avformat/flvdec: Check array entry number

Message ID 20210211223927.10122-3-michael@niedermayer.cc
State Accepted
Commit b5d8fe1c874947ca67ee8117b18f8052f0e590fc
Headers show
Series [FFmpeg-devel,1/3] avformat/electronicarts: Clear partial_packet on error | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Feb. 11, 2021, 10:39 p.m. UTC 
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/flvdec.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Michael Niedermayer March 28, 2021, 12:05 p.m. UTC | #1 
On Thu, Feb 11, 2021 at 11:39:27PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
> Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/flvdec.c | 2 ++
>  1 file changed, 2 insertions(+)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 30d1fcf4b7..138a96ec61 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -871,6 +871,8 @@  static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth)
         parse_name = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
         nb = avio_rb32(pb);
+        if (nb < 0)
+            return AVERROR_INVALIDDATA;
     case AMF_DATA_TYPE_OBJECT:
         while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) {
             if (parse_name) {