avformat/cafdec: Check that data chunk end fits within 64bit

Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2023-09-30 00:45:33 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2024-03-26 00:08:25 +0100
commit: b792e4d4c772b7b5ef8ea32be187a871000e50c2 (patch)
tree: 1afccf87cdeb93fbc17f5e95ce4c774987e0aa43
parent: b8e754525ca3d3fd835f7360e11f29b02b39cd62 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 72809fd1de..07a2939a7a 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -343,6 +343,9 @@ static int read_header(AVFormatContext *s)
             avio_skip(pb, 4); /* edit count */
             caf->data_start = avio_tell(pb);
             caf->data_size  = size < 0 ? -1 : size - 4;
+            if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start)
+                return AVERROR_INVALIDDATA;
+
             if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL))
                 avio_skip(pb, caf->data_size);
             found_data = 1;
author	Michael Niedermayer <michael@niedermayer.cc>	2023-09-30 00:45:33 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2024-03-26 00:08:25 +0100
commit	b792e4d4c772b7b5ef8ea32be187a871000e50c2 (patch)
tree	1afccf87cdeb93fbc17f5e95ce4c774987e0aa43
parent	b8e754525ca3d3fd835f7360e11f29b02b39cd62 (diff)