From 045ed347fb6216386b04f5a7a0e9ab37761af29b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:28:03 +0200 Subject: avformat/mxfdec: Check run_in is within 65536 Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786097825d9e3f02b4574c1924c28818eb83340) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index b54fc4be2c..dbd34e3588 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3135,6 +3136,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3144,7 +3146,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); -- cgit v1.2.1