avformat/asfdec_f: Check name_len for overflow

Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:04:56 +02:00 · 2020-10-15 22:04:56 +02:00 · 0d088a47ca
parent d198362839
commit 0d088a47ca
1 changed files with 2 additions and 0 deletions
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
        avio_rl32(pb);             // send time
        avio_rl32(pb);             // flags
        name_len = avio_rl32(pb);  // name length
+        if ((unsigned)name_len > INT_MAX / 2)
+            return AVERROR_INVALIDDATA;
        if ((ret = avio_get_str16le(pb, name_len * 2, name,
                                    sizeof(name))) < name_len)
            avio_skip(pb, name_len - ret);