Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

avformat/avidec: fix position overflow in avi_load_index()

Browse Source 
Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
pull/361/merge
Michael Niedermayer 4 years ago
parent f034c2e36a
commit 527821a2dd
1 changed files with 4 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      libavformat/avidec.c

5
libavformat/avidec.c
Unescape View File

@ -1776,7 +1776,10 @@ static int avi_load_index(AVFormatContext *s)
size = avio_rl32(pb); size = avio_rl32(pb);
if (avio_feof(pb)) if (avio_feof(pb))
break; break;
next = avio_tell(pb) + size + (size & 1); next = avio_tell(pb);
if (next < 0 || next > INT64_MAX - size - (size & 1))
break;
next += size + (size & 1LL);
if (tag == MKTAG('i', 'd', 'x', '1') && if (tag == MKTAG('i', 'd', 'x', '1') &&
avi_read_idx1(s, size) >= 0) { avi_read_idx1(s, size) >= 0) {

Write Preview
Loading…
Cancel
Save