[FFmpeg-devel] [PATCH 2/3] avformat/cinedec: Check size and pos more
Michael Niedermayer
michael at niedermayer.cc
Sat Jul 2 15:22:49 EEST 2022
Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/cinedec.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index f4779b2676..e8d9657ee1 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
for (i = 0; i < st->duration; i++) {
- if (avio_feof(pb))
+ int64_t pos = avio_rl64(pb);
+ if (avio_feof(pb) || pos < 0)
return AVERROR_INVALIDDATA;
- av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+ av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
}
return 0;
@@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return AVERROR_INVALIDDATA;
avio_skip(pb, n - 8);
size = avio_rl32(pb);
- if (avio_feof(pb))
+ if (avio_feof(pb) || size < 0)
return AVERROR_INVALIDDATA;
- if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
+ if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
ret = av_get_packet(pb, pkt, size);
@@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
return ret;
if (ret != size)
- cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+ cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
pkt->pts = cine->pts++;
pkt->stream_index = 0;
--
2.17.1
More information about the ffmpeg-devel
mailing list