RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avformat/mxfdec: Check run_in is within 65536 

Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2022-09-18 14:28:03 +02:00
parent dd81cc22b3
commit 7786097825
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/mxfdec.c
View File

@ -65,6 +65,7 @@
#include "mxf.h"
#define MXF_MAX_CHUNK_SIZE (32 << 20)
#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant
typedef enum {
Header,
@ -3706,6 +3707,7 @@ static int mxf_read_header(AVFormatContext *s)
KLVPacket klv;
int64_t essence_offset = 0;
int ret;
int64_t run_in;
mxf->last_forward_tell = INT64_MAX;
@ -3715,7 +3717,10 @@ static int mxf_read_header(AVFormatContext *s)
}
avio_seek(s->pb, -14, SEEK_CUR);
mxf->fc = s;
mxf->run_in = avio_tell(s->pb);
run_in = avio_tell(s->pb);
if (run_in < 0 || run_in > RUN_IN_MAX)
return AVERROR_INVALIDDATA;
mxf->run_in = run_in;
mxf_read_random_index_pack(s);