avformat/avidec: fix position overflow in avi_load_index()

Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-23 19:11:03 +02:00 · 2021-04-23 19:11:03 +02:00 · 2ec7e09a0c
commit 2ec7e09a0c
parent 81aa2e05e4
1 changed files with 4 additions and 1 deletions
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@ -1736,7 +1736,10 @@ static int avi_load_index(AVFormatContext *s)
        size = avio_rl32(pb);
        if (avio_feof(pb))
            break;
-        next = avio_tell(pb) + size + (size & 1);
+        next = avio_tell(pb);
+        if (next < 0 || next > INT64_MAX - size - (size & 1))
+            break;
+        next += size + (size & 1LL);

        av_log(s, AV_LOG_TRACE, "tag=%c%c%c%c size=0x%x\n",
                 tag        & 0xff,