diff mbox series

[FFmpeg-devel,3/5] avformat/asfdec_f: Check for negative ext_len

Message ID 20201016173530.9142-3-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/5] avcodec/mobiclip: Avoid signed integer overflows in idct()
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 16, 2020, 5:35 p.m. UTC
Fixes: Infinite loop
Fixes: 26376/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_U32LE_fuzzer-6050518830678016
Fixes: 26377/clusterfuzz-testcase-minimized-ffmpeg_dem_TY_fuzzer-4838195726123008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_f.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 103155e9e7..4fba6c08b0 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -607,6 +607,8 @@  static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
         ff_get_guid(pb, &g);
         size = avio_rl16(pb);
         ext_len = avio_rl32(pb);
+        if (ext_len < 0)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, ext_len);
         if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) {
             ASFPayload *p = &asf->streams[stream_num].payload[i];