diff mbox series

[FFmpeg-devel,2/4] avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet()

Message ID 20210303094904.4221-2-michael@niedermayer.cc
State Accepted
Commit 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8
Headers show
Series [FFmpeg-devel,1/4] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer March 3, 2021, 9:49 a.m. UTC 
Fixes: memleak
Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/voc_packet.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer March 14, 2021, 10:12 p.m. UTC | #1 
On Wed, Mar 03, 2021 at 10:49:02AM +0100, Michael Niedermayer wrote:
> Fixes: memleak
> Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/voc_packet.c | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c
index 9d7d2025cd..e5ae0be1de 100644
--- a/libavformat/voc_packet.c
+++ b/libavformat/voc_packet.c
@@ -51,14 +51,22 @@  ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size)
             return AVERROR_EOF;
         voc->remaining_size = avio_rl24(pb);
         if (!voc->remaining_size) {
+            int64_t filesize;
             if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL))
                 return AVERROR(EIO);
-            voc->remaining_size = avio_size(pb) - avio_tell(pb);
+            filesize = avio_size(pb);
+            if (filesize - avio_tell(pb) > INT_MAX)
+                return AVERROR_INVALIDDATA;
+            voc->remaining_size = filesize - avio_tell(pb);
         }
         max_size -= 4;
 
         switch (type) {
         case VOC_TYPE_VOICE_DATA:
+            if (voc->remaining_size < 2) {
+                voc->remaining_size = 0;
+                return AVERROR_INVALIDDATA;
+            }
             if (!par->sample_rate) {
                 par->sample_rate = 1000000 / (256 - avio_r8(pb));
                 if (sample_rate)
@@ -87,6 +95,10 @@  ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size)
             break;
 
         case VOC_TYPE_NEW_VOICE_DATA:
+            if (voc->remaining_size < 12) {
+                voc->remaining_size = 0;
+                return AVERROR_INVALIDDATA;
+            }
             if (!par->sample_rate) {
                 par->sample_rate = avio_rl32(pb);
                 avpriv_set_pts_info(st, 64, 1, par->sample_rate);