From patchwork Fri Sep 29 23:20:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 44043
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp97871pzf;
        Fri, 29 Sep 2023 16:20:59 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG6PKhFW3ctctwcTdARiZpH5dEX+iSFY4nPluWtL4O/KebVt7q9ZnQhB2wVN6FUei6uTXvO
X-Received: by 2002:a05:6402:389:b0:52d:212d:78ed with SMTP id
 o9-20020a056402038900b0052d212d78edmr5070001edv.29.1696029658966;
        Fri, 29 Sep 2023 16:20:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696029658; cv=none;
        d=google.com; s=arc-20160816;
        b=TzqLl1j0g9YpXV1KCOorjWqvVY/rSxMxd27taf1ccQJFDAc8Vo+zx7GW8lVoOEFWwf
         RxgDMVlJPUQnuoEEM4llqzWo/kCxSHwz24ino/bm4ZvjVbNVCAOnOoGG2PUPvkokhWXU
         IttQQsAB9l0zzrnAMAvsjAfH72hAD3FotVGGEJAbOFnn8J0ZxA7xXzEL/dJFgLK8s2Dj
         Eawy8dRnlVDlncyKJBCmzWxpmi1UGmCFZgU2bWFZ5Th/vu0REOn6bybnF8UGjt3FitfW
         12ojvIManaJgWJt+QIKRCaeYfE1DMTYKR5k1SsxxByxOsFvP3iY8nsPbBS/bGOEduqZC
         Ccsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=ziFj8s343zmXjMz0fT8pLnW81kNqkr8sXMMtGDibLP8=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=dMyo7V9x0banI8SWTc8vvXcRAXJ4Vrfr+ZT/IT9L3X/znzgp+g/HidI9dJbo2raAgN
         w9RCPfGJ+UrJlFnvD4HcN5u4bARgoHUqG9/4YvHUp5gsDkskRiaoDlV6KvDuKeBxVM9t
         qaEkyR0sg7PTozeJgUa2Q2uoZBQGJxSJ7eJAPo0CioNgsw3YgtA0jGUgHR+CsgYoeNE4
         NU5Z19GpeL0cU1L6uqtB1WNEVBH7qgNxNE9usfHdvEsy8bT9AmXIE3uYwX4rKkFcp0Dk
         CiXeiKS/r+Qwf0WQvjtUymyGvtchOcNtOFxzFH1ycsqq8Z6ThZwhmlTd4/EH9iz/KeIf
         zYOg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 q5-20020aa7d445000000b0052c0eaa233asi16644202edr.597.2023.09.29.16.20.58;
        Fri, 29 Sep 2023 16:20:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1080668CCC2;
	Sat, 30 Sep 2023 02:20:17 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net
 [217.70.183.200])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F39CB68CCAF
 for <ffmpeg-devel@ffmpeg.org>; Sat, 30 Sep 2023 02:20:08 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 1668920003
 for <ffmpeg-devel@ffmpeg.org>; Fri, 29 Sep 2023 23:20:07 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 30 Sep 2023 01:20:01 +0200
Message-Id: <20230929232001.23197-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230929232001.23197-1-michael@niedermayer.cc>
References: <20230929232001.23197-1-michael@niedermayer.cc>
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 6/6] avformat/iff: Saturate avio_tell() + 12
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: PeDWC61JAC4m

Fixes: signed integer overflow: 9223372036854775796 + 12 cannot be represented in type 'long long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4898373660704768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index b8e8bffe03f..5bff0e9b6c1 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof)
 {
     AVIOContext *pb = s->pb;
 
-    while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+    while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
         uint32_t tag      = avio_rl32(pb);
         uint64_t size     = avio_rb64(pb);
         uint64_t orig_pos = avio_tell(pb);
@@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof)
     int dsd_layout[6];
     ID3v2ExtraMeta *id3v2_extra_meta;
 
-    while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+    while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
         uint32_t tag      = avio_rl32(pb);
         uint64_t size     = avio_rb64(pb);
         uint64_t orig_pos = avio_tell(pb);