avformat/id3v2: Check end for overflow in id3v2_parse()

Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit efdb564504) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-19 20:23:44 +02:00 · 2021-04-19 20:23:44 +02:00 · 588c22d057
parent 06342bca35
commit 588c22d057
1 changed files with 5 additions and 1 deletions
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@ -828,7 +828,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
    int isv34, unsync;
    unsigned tlen;
    char tag[5];
-    int64_t next, end = avio_tell(pb) + len;
+    int64_t next, end = avio_tell(pb);
    int taghdrlen;
    const char *reason = NULL;
    AVIOContext pb_local;
@ -840,6 +840,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
    av_unused int uncompressed_buffer_size = 0;
    const char *comm_frame;

+    if (end > INT64_MAX - len - 10)
+        return;
+    end += len;
+
    av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len);

    switch (version) {