Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 48370fe5ce..4ab4d92f92 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1783,7 +1783,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
