[FFmpeg-devel] [PATCH 1/2] avformat/iff: Check data_size not overflowing int64
Peter Ross
pross at xvid.org
Mon Sep 28 01:30:50 EEST 2020
On Sun, Sep 27, 2020 at 10:20:52PM +0200, Michael Niedermayer wrote:
> Fixes: Infinite loop
> Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/iff.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/iff.c b/libavformat/iff.c
> index 7feb121cd0..04fe8be4eb 100644
> --- a/libavformat/iff.c
> +++ b/libavformat/iff.c
> @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s)
> data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb);
> orig_pos = avio_tell(pb);
>
> + if (data_size >= INT64_MAX)
> + return AVERROR_INVALIDDATA;
> +
> switch(chunk_id) {
> case ID_VHDR:
> st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
> --
> 2.17.1
ok
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200928/5aab4898/attachment.sig>
More information about the ffmpeg-devel
mailing list