avcodec/cfhd: check peak.offset

Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-11-08 00:08:35 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-01-29 19:36:46 +0100
commit: 386faeda5ff1924c17766248ce19528dbf90cf15 (patch)
tree: 1a9500f132663d0684902ad2302abd8a5aee9834 /libavcodec/cfhd.c
parent: b0f8586ca9853ab3d324ccd3c42bad4375000b0a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index aae6bd78db..dfd56ae6ed 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -617,6 +617,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->peak.level   = 0;
         } else if (tag == -PeakLevel && s->peak.offset) {
             s->peak.level = data;
+            if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) ||
+                s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base)
+            ) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
             bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
         } else
             av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-11-08 00:08:35 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-01-29 19:36:46 +0100
commit	386faeda5ff1924c17766248ce19528dbf90cf15 (patch)
tree	1a9500f132663d0684902ad2302abd8a5aee9834 /libavcodec/cfhd.c
parent	b0f8586ca9853ab3d324ccd3c42bad4375000b0a (diff)