[FFmpeg-cvslog] avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
Michael Niedermayer
git at videolan.org
Wed Sep 8 22:42:26 EEST 2021
ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Sat Apr 24 17:42:19 2021 +0200| [a04d889c52fcab97d41d6df5745a8d4d9f489e91] | committer: Michael Niedermayer
avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a04d889c52fcab97d41d6df5745a8d4d9f489e91
---
libavformat/mpc8.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 88c55e3d22..95813df748 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in
switch(tag){
case TAG_SEEKTBLOFF:
- pos = avio_tell(pb) + size;
+ pos = avio_tell(pb);
off = ffio_read_varlen(pb);
+ if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+ return;
+ pos += size;
mpc8_parse_seektable(s, chunk_pos + off);
avio_seek(pb, pos, SEEK_SET);
break;
More information about the ffmpeg-cvslog
mailing list