mirror of https://git.ffmpeg.org/ffmpeg.git
avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
03c479ce23
commit
0bee216ad4
|
@ -1661,6 +1661,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t
|
|||
ff_asf_guid guid;
|
||||
int ret;
|
||||
|
||||
if (offset > INT64_MAX - size)
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
while (avio_tell(pb) <= offset + size) {
|
||||
if (avio_tell(pb) == asf->offset)
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue