RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-01-31 03:44:15 +00:00
Code Issues Projects Releases Wiki Activity

avformat/id3v2: Check end for overflow in id3v2_parse()

Browse Source 
Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long'
Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-04-19 20:23:44 +02:00
parent f7c3484b26
commit efdb564504
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavformat/id3v2.c
View File

@ -824,7 +824,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
int isv34, unsync; int isv34, unsync;
unsigned tlen; unsigned tlen;
char tag[5]; char tag[5];
int64_t next, end = avio_tell(pb) + len; int64_t next, end = avio_tell(pb);
int taghdrlen; int taghdrlen;
const char *reason = NULL; const char *reason = NULL;
AVIOContext pb_local; AVIOContext pb_local;
@ -836,6 +836,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata,
av_unused int uncompressed_buffer_size = 0; av_unused int uncompressed_buffer_size = 0;
const char *comm_frame; const char *comm_frame;
if (end > INT64_MAX - len - 10)
return;
end += len;
av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len);
switch (version) { switch (version) {