libavformat/iff: Check for overflow in body_end calculation

Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2022-08-22 20:31:32 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2022-10-09 22:15:44 +0200
commit: 37139adfbfcc5daea7d04be6294c2511c1e1e4e4 (patch)
tree: 53f3b6ff69ed9f88c1c8549f9ff3ce38c6fb31c1
parent: 2f2a3397ccf9132237babf9257943bcbe72c315b (diff)
download: ffmpeg-37139adfbfcc5daea7d04be6294c2511c1e1e4e4.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 1a1c80551a..52bc8c99c9 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s)
         case ID_DST:
         case ID_MDAT:
             iff->body_pos = avio_tell(pb);
+            if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX)
+                return AVERROR_INVALIDDATA;
+
             iff->body_end = iff->body_pos + data_size;
             iff->body_size = data_size;
             if (chunk_id == ID_DST) {
author	Michael Niedermayer <michael@niedermayer.cc>	2022-08-22 20:31:32 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2022-10-09 22:15:44 +0200
commit	37139adfbfcc5daea7d04be6294c2511c1e1e4e4 (patch)
tree	53f3b6ff69ed9f88c1c8549f9ff3ce38c6fb31c1
parent	2f2a3397ccf9132237babf9257943bcbe72c315b (diff)
download	ffmpeg-37139adfbfcc5daea7d04be6294c2511c1e1e4e4.tar.gz