From e84ddc90c78696adcebb2e6d43c1e60467992362 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index cf4d42ecab..bce9425a32 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) {