avformat/asfdec_o: Limit packet offset

avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 736e9e69d5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-09-17 21:30:55 +02:00 · 2022-09-17 21:30:55 +02:00 · 0c56afb8d6
parent 4235afc12c
commit 0c56afb8d6
1 changed files with 2 additions and 0 deletions
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@ -1361,6 +1361,8 @@ static int asf_read_packet_header(AVFormatContext *s)
    unsigned char error_flags, len_flags, pay_flags;

    asf->packet_offset = avio_tell(pb);
+    if (asf->packet_offset > INT64_MAX/2)
+        asf->packet_offset = 0;
    error_flags = avio_r8(pb); // read Error Correction Flags
    if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) {
        if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) {