PR #23695 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23695
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23695.patch

Fixes: 
523658585/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5454488994643968
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>



>From 9e37e38bc6babf3a5e6f38c8b3b844e3ab6d8837 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Fri, 3 Jul 2026 04:47:13 +0200
Subject: [PATCH] avformat/wavdec: fix integer overflow in W64 chunk size check

Fixes: 
523658585/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5454488994643968
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/wavdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index b980bebf0e..247681e265 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -908,7 +908,7 @@ static int w64_read_header(AVFormatContext *s)
         if (avio_read(pb, guid, 16) != 16)
             break;
         size = avio_rl64(pb);
-        if (size <= 24 || INT64_MAX - size < avio_tell(pb)) {
+        if (size <= 24 || INT64_MAX - size - 7 < avio_tell(pb)) {
             if (data_ofs)
                 break;
             return AVERROR_INVALIDDATA;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to