@@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
for (i = 0; i < st->duration; i++) {
- if (avio_feof(pb))
+ int64_t pos = avio_rl64(pb);
+ if (avio_feof(pb) || pos < 0)
return AVERROR_INVALIDDATA;
- av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+ av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
}
return 0;
@@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return AVERROR_INVALIDDATA;
avio_skip(pb, n - 8);
size = avio_rl32(pb);
- if (avio_feof(pb))
+ if (avio_feof(pb) || size < 0)
return AVERROR_INVALIDDATA;
- if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
+ if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
ret = av_get_packet(pb, pkt, size);
@@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return ret;
if (ret != size)
- cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+ cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
pkt->pts = cine->pts++;
pkt->stream_index = 0;
Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long' Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/cinedec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)