diff mbox series

[FFmpeg-devel,1/2] avformat/mvi: Check audio size for more overflows

Message ID 20210227222810.1462-1-michael@niedermayer.cc
State Accepted
Commit 403b35e16e16a8c4a13e531ccdc23598f685ca20
Headers show
Series [FFmpeg-devel,1/2] avformat/mvi: Check audio size for more overflows
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Feb. 27, 2021, 10:28 p.m. UTC
Fixes: left shift of negative value -352256000
Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mvi.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Michael Niedermayer March 14, 2021, 10:11 p.m. UTC | #1
On Sat, Feb 27, 2021 at 11:28:09PM +0100, Michael Niedermayer wrote:
> Fixes: left shift of negative value -352256000
> Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mvi.c | 4 ++++
>  1 file changed, 4 insertions(+)

will apply patchset

[...]
diff mbox series

Patch

diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 2d4b11aa32..cfdbe5d273 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -120,6 +120,10 @@  static int read_packet(AVFormatContext *s, AVPacket *pkt)
         mvi->video_frame_size = (mvi->get_int)(pb);
         if (mvi->audio_size_left == 0)
             return AVERROR(EIO);
+        if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+            mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+            return AVERROR_INVALIDDATA;
+
         count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
         if (count > mvi->audio_size_left)
             count = mvi->audio_size_left;