From 884a108121d027ee4aa7d5a70247565cf0105afa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jun 2022 21:13:11 +0200 Subject: avformat/cinedec: Check size and pos more Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long' Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'libavformat/cinedec.c') diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index f4779b2676..e8d9657ee1 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); for (i = 0; i < st->duration; i++) { - if (avio_feof(pb)) + int64_t pos = avio_rl64(pb); + if (avio_feof(pb) || pos < 0) return AVERROR_INVALIDDATA; - av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME); } return 0; @@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) return AVERROR_INVALIDDATA; avio_skip(pb, n - 8); size = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || size < 0) return AVERROR_INVALIDDATA; - if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize) + if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize) size = cine->maxsize - sti->index_entries[cine->pts].pos - n; ret = av_get_packet(pb, pkt, size); @@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) return ret; if (ret != size) - cine->maxsize = sti->index_entries[cine->pts].pos + n + ret; + cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret; pkt->pts = cine->pts++; pkt->stream_index = 0; -- cgit v1.2.3