Message ID | 20221006203709.8398-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 557aa7772e6cd646baa7bfd0046ac7e37442cff3 |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/asfdec_o: Check offset before adding index entry | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Thu, Oct 06, 2022 at 10:37:06PM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: 9223372036854550860 + 530259564 cannot be represented in type 'long' > Fixes: 49093/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-4697179192688640 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/asfdec_o.c | 2 ++ > 1 file changed, 2 insertions(+) will apply patchset [...]
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index e837ca62e7f..2b407c016f2 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -888,6 +888,8 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) av_log(s, AV_LOG_ERROR, "Skipping failed in asf_read_simple_index.\n"); return offset; } + if (asf->first_packet_offset > INT64_MAX - asf->packet_size * pkt_num) + return AVERROR_INVALIDDATA; if (prev_pkt_num != pkt_num) { av_add_index_entry(st, asf->first_packet_offset + asf->packet_size * pkt_num, av_rescale(interval, i, 10000),
Fixes: signed integer overflow: 9223372036854550860 + 530259564 cannot be represented in type 'long' Fixes: 49093/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-4697179192688640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+)