avformat/asf: Check picsize

Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int'
Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2024-09-19 19:56:48 +02:00
parent ad35eaf848
commit fde8637fda
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64

View File

@ -90,8 +90,8 @@ static int asf_read_picture(AVFormatContext *s, int len)
return 0;
}
if (picsize >= len) {
av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d >= %d.\n",
if (picsize >= len || ((int64_t)len - picsize) * 2 + 1 > INT_MAX) {
av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d (len = %d).\n",
picsize, len);
return AVERROR_INVALIDDATA;
}