ffmpeg | branch: release/6.1 | Michael Niedermayer <mich...@niedermayer.cc> | Sat Sep 30 00:45:33 2023 +0200| [356251d750358f1d2431a99ab31980e496d0cd70] | committer: Michael Niedermayer
avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=356251d750358f1d2431a99ab31980e496d0cd70 --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index e92e3279fc..7a0b754697 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -343,6 +343,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
