diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2022-09-17 21:30:55 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2022-09-24 17:57:36 +0200 |
commit | 736e9e69d5dbbe1d81885dfef59917eb915d2f96 (patch) | |
tree | 64c5e7f4433c3e9495b205fd020349eeeaf61cec /libavformat | |
parent | 5b23cab5c769d6611a3fe111546d65809046a4d8 (diff) |
avformat/asfdec_o: Limit packet offset
avoids overflows with it
Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/asfdec_o.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 48b7d17322..e837ca62e7 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1242,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { |