avformat/flvdec: Check array entry number

Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-02-11 22:58:53 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-03-28 14:20:00 +0200
commit: b5d8fe1c874947ca67ee8117b18f8052f0e590fc (patch)
tree: aa998c62611d860dc33334a5231810bae0adf902 /libavformat/flvdec.c
parent: 8b2bde04948e6e10896b6f923b0367aaba153014 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index e4b40a195c..fca6f82f5c 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -875,6 +875,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth)
         parse_name = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
         nb = avio_rb32(pb);
+        if (nb < 0)
+            return AVERROR_INVALIDDATA;
     case AMF_DATA_TYPE_OBJECT:
         while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) {
             if (parse_name) {
author	Michael Niedermayer <michael@niedermayer.cc>	2021-02-11 22:58:53 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-03-28 14:20:00 +0200
commit	b5d8fe1c874947ca67ee8117b18f8052f0e590fc (patch)
tree	aa998c62611d860dc33334a5231810bae0adf902 /libavformat/flvdec.c
parent	8b2bde04948e6e10896b6f923b0367aaba153014 (diff)