ffmpeg | branch: master | Michael Niedermayer <[email protected]> | Mon Feb 22 20:20:48 2021 +0100| [403b35e16e16a8c4a13e531ccdc23598f685ca20] | committer: Michael Niedermayer
avformat/mvi: Check audio size for more overflows Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=403b35e16e16a8c4a13e531ccdc23598f685ca20 --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 2d4b11aa32..cfdbe5d273 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -120,6 +120,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
