[FFmpeg-devel] [PATCH 2/7] avformat/aiffdec: Check for size overflow in header parsing
Michael Niedermayer
michael at niedermayer.cc
Fri Apr 23 20:50:51 EEST 2021
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/aiffdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 1b693b71a3..7ec408b2e6 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -100,6 +100,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
int sample_rate;
unsigned int num_frames;
+ if (size == INT_MAX)
+ return AVERROR_INVALIDDATA;
+
if (size & 1)
size++;
par->codec_type = AVMEDIA_TYPE_AUDIO;
--
2.17.1
More information about the ffmpeg-devel
mailing list