[FFmpeg-devel] [PATCH 1/2] avformat/wtvdec: Check len in parse_chunks() to avoid overflow
Michael Niedermayer
michael at niedermayer.cc
Mon Feb 8 19:55:17 EET 2021
On Tue, Feb 09, 2021 at 02:20:41AM +1100, Peter Ross wrote:
> On Mon, Feb 08, 2021 at 02:29:01PM +0100, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int'
> > Fixes: 30084/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6192261941559296
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/wtvdec.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
> > index 6c41e3c1a3..7def9d2348 100644
> > --- a/libavformat/wtvdec.c
> > +++ b/libavformat/wtvdec.c
> > @@ -794,7 +794,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
> >
> > ff_get_guid(pb, &g);
> > len = avio_rl32(pb);
> > - if (len < 32) {
> > + if (len < 32 || len > INT_MAX - 7) {
> > int ret;
> > if (avio_feof(pb))
> > return AVERROR_EOF;
>
> the + 7 comes from WTV_PAD calculation
yes
> looks good
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who are best at talking, realize last or never when they are wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210208/3f96f040/attachment.sig>
More information about the ffmpeg-devel
mailing list