Message ID | 20210711132634.14829-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 65b862ab59c4bfaae98be596b84a072f52444398 |
Headers | show |
Series | [FFmpeg-devel,1/3] avcodec/exr: Check uncompressed_size against max_pixels | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 16f5052452..f813408b3d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -622,7 +622,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16);
av_shrink_packet() takes int size, so size must fit in int Fixes: out of array access Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)