virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-29 22:00:58 +02:00
Code Issues Releases Activity

avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()

Browse Source 
Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long'
Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800

Alternatively this could be ignored but then the end condition of the loop
would be hard to reach as avio_tell() is int64_t

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-01-12 21:17:18 +01:00
parent b9570ed6f3
commit d31c6fdf35
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/asfdec_o.c
View File

@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t
ff_asf_guid guid;
int ret;
if (offset > INT64_MAX - size)
return AVERROR_INVALIDDATA;
while (avio_tell(pb) <= offset + size) {
if (avio_tell(pb) == asf->offset)
break;