mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
avformat/avidec: fix position overflow in avi_load_index()
Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
f034c2e36a
commit
527821a2dd
@ -1776,7 +1776,10 @@ static int avi_load_index(AVFormatContext *s)
|
||||
size = avio_rl32(pb);
|
||||
if (avio_feof(pb))
|
||||
break;
|
||||
next = avio_tell(pb) + size + (size & 1);
|
||||
next = avio_tell(pb);
|
||||
if (next < 0 || next > INT64_MAX - size - (size & 1))
|
||||
break;
|
||||
next += size + (size & 1LL);
|
||||
|
||||
if (tag == MKTAG('i', 'd', 'x', '1') &&
|
||||
avi_read_idx1(s, size) >= 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user