virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-03-28 12:32:17 +02:00
Code Issues Releases Activity

avformat/mvi: Check audio_data_size to be non negative

Browse Source 
Fixes: left shift of negative value -224
Fixes: 32144/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-4971479323246592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e241a1b73bcca768f48ff1851e9e9f3f0752000)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-04-10 22:55:00 +02:00
parent f08c4b72f2
commit 9a0a851fae
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavformat/mvi.c
View File

@ -32,7 +32,6 @@
typedef struct MviDemuxContext { typedef struct MviDemuxContext {
unsigned int (*get_int)(AVIOContext *); unsigned int (*get_int)(AVIOContext *);
uint32_t audio_data_size;
uint64_t audio_size_counter; uint64_t audio_size_counter;
uint64_t audio_frame_size; uint64_t audio_frame_size;
int audio_size_left; int audio_size_left;
@ -46,6 +45,7 @@ static int read_header(AVFormatContext *s)
AVStream *ast, *vst; AVStream *ast, *vst;
unsigned int version, frames_count, msecs_per_frame, player_version; unsigned int version, frames_count, msecs_per_frame, player_version;
int ret; int ret;
int audio_data_size;
ast = avformat_new_stream(s, NULL); ast = avformat_new_stream(s, NULL);
if (!ast) if (!ast)
@ -67,13 +67,13 @@ static int read_header(AVFormatContext *s)
vst->codecpar->height = avio_rl16(pb); vst->codecpar->height = avio_rl16(pb);
avio_r8(pb); avio_r8(pb);
ast->codecpar->sample_rate = avio_rl16(pb); ast->codecpar->sample_rate = avio_rl16(pb);
mvi->audio_data_size = avio_rl32(pb); audio_data_size = avio_rl32(pb);
avio_r8(pb); avio_r8(pb);
player_version = avio_rl32(pb); player_version = avio_rl32(pb);
avio_rl16(pb); avio_rl16(pb);
avio_r8(pb); avio_r8(pb);
if (frames_count == 0 || mvi->audio_data_size == 0) if (frames_count == 0 || audio_data_size <= 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if (version != 7 || player_version > 213) { if (version != 7 || player_version > 213) {
@ -96,16 +96,16 @@ static int read_header(AVFormatContext *s)
mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24;
mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; mvi->audio_frame_size = ((uint64_t)audio_data_size << MVI_FRAC_BITS) / frames_count;
if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
av_log(s, AV_LOG_ERROR, av_log(s, AV_LOG_ERROR,
"Invalid audio_data_size (%"PRIu32") or frames_count (%u)\n", "Invalid audio_data_size (%d) or frames_count (%u)\n",
mvi->audio_data_size, frames_count); audio_data_size, frames_count);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
mvi->audio_size_left = mvi->audio_data_size; mvi->audio_size_left = audio_data_size;
return 0; return 0;
} }