virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00
Code Issues Releases Activity

avformat/vividas: Check that value from ffio_read_varlen() does not overflow

Browse Source 
Fixes: signed integer overflow: -1241665686 + -1340629419 cannot be represented in type 'int'
Fixes: 15922/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5692826442006528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-07-20 22:41:08 +02:00
parent 8bac648359
commit 07357cd933
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/vividas.c
View File

@ -374,8 +374,11 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
ffio_read_varlen(pb); // len_3 ffio_read_varlen(pb); // len_3
num_data = avio_r8(pb); num_data = avio_r8(pb);
for (j = 0; j < num_data; j++) { for (j = 0; j < num_data; j++) {
data_len[j] = ffio_read_varlen(pb); uint64_t len = ffio_read_varlen(pb);
xd_size += data_len[j]; if (len > INT_MAX/2 - xd_size)
return AVERROR_INVALIDDATA;
data_len[j] = len;
xd_size += len;
} }
st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; st->codecpar->extradata_size = 64 + xd_size + xd_size / 255;