avformat/ape: more bits in size for less overflows

Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int' Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e5f6707a7b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-02 22:18:49 +02:00 · 2022-04-02 22:18:49 +02:00 · 93145eaeba
parent 0487f8e95e
commit 93145eaeba
1 changed files with 5 additions and 4 deletions
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@ -42,8 +42,8 @@

 typedef struct APEFrame {
    int64_t pos;
+    int64_t size;
    int nblocks;
-    int size;
    int skip;
    int64_t pts;
 } APEFrame;
@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx)

    av_log(s, AV_LOG_DEBUG, "\nFrames\n\n");
    for (i = 0; i < ape_ctx->totalframes; i++)
-        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8d (%d samples)\n", i,
+        av_log(s, AV_LOG_DEBUG, "%8d   %8"PRId64" %8"PRId64" (%d samples)\n", i,
               ape_ctx->frames[i].pos, ape_ctx->frames[i].size,
               ape_ctx->frames[i].nblocks);

@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s)
    AVStream *st;
    uint32_t tag;
    int i;
-    int total_blocks, final_size = 0;
+    int total_blocks;
+    int64_t final_size = 0;
    int64_t pts, file_size;

    /* Skip any leading junk such as id3v2 tags */
@ -403,7 +404,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt)

    if (ape->frames[ape->currentframe].size <= 0 ||
        ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
-        av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+        av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n",
               ape->frames[ape->currentframe].size);
        ape->currentframe++;
        return AVERROR(EIO);