[FFmpeg-cvslog] avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
Michael Niedermayer
git at videolan.org
Fri Jun 18 20:13:53 EEST 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Apr 24 17:42:19 2021 +0200| [8ef25d118246bf443900033fb3588dba628d11b0] | committer: Michael Niedermayer
avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8ef25d118246bf443900033fb3588dba628d11b0
---
libavformat/mpc8.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 5498ce940d..df5d345f85 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in
switch(tag){
case TAG_SEEKTBLOFF:
- pos = avio_tell(pb) + size;
+ pos = avio_tell(pb);
off = ffio_read_varlen(pb);
+ if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+ return;
+ pos += size;
mpc8_parse_seektable(s, chunk_pos + off);
avio_seek(pb, pos, SEEK_SET);
break;
More information about the ffmpeg-cvslog
mailing list