Message ID | 20210227222810.1462-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 403b35e16e16a8c4a13e531ccdc23598f685ca20 |
Headers | show |
Series | [FFmpeg-devel,1/2] avformat/mvi: Check audio size for more overflows | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Sat, Feb 27, 2021 at 11:28:09PM +0100, Michael Niedermayer wrote: > Fixes: left shift of negative value -352256000 > Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mvi.c | 4 ++++ > 1 file changed, 4 insertions(+) will apply patchset [...]
diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 2d4b11aa32..cfdbe5d273 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -120,6 +120,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left;
Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+)