Message ID | 20210303094904.4221-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8 |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Wed, Mar 03, 2021 at 10:49:02AM +0100, Michael Niedermayer wrote: > Fixes: memleak > Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/voc_packet.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) will apply [...]
diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 9d7d2025cd..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -51,14 +51,22 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -87,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate);
Fixes: memleak Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/voc_packet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)