[FFmpeg-cvslog] avformat/mpc8: Check for position overflow in mpc8_handle_chunk()

Michael Niedermayer git at videolan.org
Wed Sep 8 22:42:26 EEST 2021


ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Sat Apr 24 17:42:19 2021 +0200| [a04d889c52fcab97d41d6df5745a8d4d9f489e91] | committer: Michael Niedermayer

avformat/mpc8: Check for position overflow in mpc8_handle_chunk()

Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a04d889c52fcab97d41d6df5745a8d4d9f489e91
---

 libavformat/mpc8.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 88c55e3d22..95813df748 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in
 
     switch(tag){
     case TAG_SEEKTBLOFF:
-        pos = avio_tell(pb) + size;
+        pos = avio_tell(pb);
         off = ffio_read_varlen(pb);
+        if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+            return;
+        pos += size;
         mpc8_parse_seektable(s, chunk_pos + off);
         avio_seek(pb, pos, SEEK_SET);
         break;



More information about the ffmpeg-cvslog mailing list