[FFmpeg-cvslog] avformat/mvi: Check audio size for more overflows
Michael Niedermayer
git at videolan.org
Mon Mar 15 00:32:12 EET 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Feb 22 20:20:48 2021 +0100| [403b35e16e16a8c4a13e531ccdc23598f685ca20] | committer: Michael Niedermayer
avformat/mvi: Check audio size for more overflows
Fixes: left shift of negative value -352256000
Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=403b35e16e16a8c4a13e531ccdc23598f685ca20
---
libavformat/mvi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 2d4b11aa32..cfdbe5d273 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -120,6 +120,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
mvi->video_frame_size = (mvi->get_int)(pb);
if (mvi->audio_size_left == 0)
return AVERROR(EIO);
+ if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size ||
+ mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS)
+ return AVERROR_INVALIDDATA;
+
count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS;
if (count > mvi->audio_size_left)
count = mvi->audio_size_left;
More information about the ffmpeg-cvslog
mailing list