[FFmpeg-cvslog] avformat/mxfdec: Check size for shrinking
Michael Niedermayer
git at videolan.org
Wed Sep 8 22:43:13 EEST 2021
ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul 11 12:39:34 2021 +0200| [aa5b8c95907e75f9289e5b4dda28deabd30d294e] | committer: Michael Niedermayer
avformat/mxfdec: Check size for shrinking
av_shrink_packet() takes int size, so size must fit in int
Fixes: out of array access
Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 65b862ab59c4bfaae98be596b84a072f52444398)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa5b8c95907e75f9289e5b4dda28deabd30d294e
---
libavformat/mxfdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 840484b37e..c51eed32ec 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -624,7 +624,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv
return AVERROR_INVALIDDATA;
// enc. code
size = klv_decode_ber_length(pb);
- if (size < 32 || size - 32 < orig_size)
+ if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size)
return AVERROR_INVALIDDATA;
avio_read(pb, ivec, 16);
avio_read(pb, tmpbuf, 16);
More information about the ffmpeg-cvslog
mailing list