[FFmpeg-cvslog] avformat/avidec: fix position overflow in avi_load_index()
Michael Niedermayer
git at videolan.org
Wed Sep 8 22:43:33 EEST 2021
ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Fri Apr 23 19:11:03 2021 +0200| [f89b52fbca6fb162a3dfb5d7c36164fd10242448] | committer: Michael Niedermayer
avformat/avidec: fix position overflow in avi_load_index()
Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f89b52fbca6fb162a3dfb5d7c36164fd10242448
---
libavformat/avidec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 59929afd49..079f2dbf8a 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1783,7 +1783,10 @@ static int avi_load_index(AVFormatContext *s)
size = avio_rl32(pb);
if (avio_feof(pb))
break;
- next = avio_tell(pb) + size + (size & 1);
+ next = avio_tell(pb);
+ if (next < 0 || next > INT64_MAX - size - (size & 1))
+ break;
+ next += size + (size & 1LL);
if (tag == MKTAG('i', 'd', 'x', '1') &&
avi_read_idx1(s, size) >= 0) {
More information about the ffmpeg-cvslog
mailing list