avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()

Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-01-21 21:41:41 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-01-23 01:05:25 +0100
commit: d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660 (patch)
tree: 78ecac3203f21706ba40bd9a5e659ad112497e18 /libavformat
parent: da607832b57607fe9221bc2ecd25ea25ef6dd3aa (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 4c932e954c..afff20402d 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -2865,8 +2865,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
         int ret;
         int tag = avio_rb16(pb);
         int size = avio_rb16(pb); /* KLV specified by 0x53 */
-        uint64_t next = avio_tell(pb) + size;
+        int64_t next = avio_tell(pb);
         UID uid = {0};
+        if (next < 0 || next > INT64_MAX - size)
+            return next < 0 ? next : AVERROR_INVALIDDATA;
+        next += size;
 
         av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size);
         if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */
author	Michael Niedermayer <michael@niedermayer.cc>	2021-01-21 21:41:41 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-01-23 01:05:25 +0100
commit	d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660 (patch)
tree	78ecac3203f21706ba40bd9a5e659ad112497e18 /libavformat
parent	da607832b57607fe9221bc2ecd25ea25ef6dd3aa (diff)