avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()

Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long'
Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d3d9b1fc8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-01-21 21:41:41 +01:00
parent 53fccd5726
commit 39006dfef8
1 changed files with 4 additions and 1 deletions

View File

@ -2736,8 +2736,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
int ret;
int tag = avio_rb16(pb);
int size = avio_rb16(pb); /* KLV specified by 0x53 */
uint64_t next = avio_tell(pb) + size;
int64_t next = avio_tell(pb);
UID uid = {0};
if (next < 0 || next > INT64_MAX - size)
return next < 0 ? next : AVERROR_INVALIDDATA;
next += size;
av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size);
if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */