1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00

avformat/cinedec: Check size and pos more

Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2022-06-27 21:13:11 +02:00
parent 9f77af177a
commit 884a108121

View File

@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
for (i = 0; i < st->duration; i++) {
if (avio_feof(pb))
int64_t pos = avio_rl64(pb);
if (avio_feof(pb) || pos < 0)
return AVERROR_INVALIDDATA;
av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
}
return 0;
@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return AVERROR_INVALIDDATA;
avio_skip(pb, n - 8);
size = avio_rl32(pb);
if (avio_feof(pb))
if (avio_feof(pb) || size < 0)
return AVERROR_INVALIDDATA;
if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
ret = av_get_packet(pb, pkt, size);
@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return ret;
if (ret != size)
cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
pkt->pts = cine->pts++;
pkt->stream_index = 0;