avformat/vividas: Check that value from ffio_read_varlen() does not overflow

Fixes: signed integer overflow: -1241665686 + -1340629419 cannot be represented in type 'int' Fixes: 15922/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5692826442006528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/vividas: Check that value from ffio_read_varlen() does not overflow
Fixes: signed integer overflow: -1241665686 + -1340629419 cannot be represented in type 'int' Fixes: 15922/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5692826442006528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
07357cd9 · Michael Niedermayer · 8bac6483 · 07357cd9
Commit 07357cd9 authored Jul 20, 2019 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

vividas.c libavformat/vividas.c +5 -2

No files found.
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -374,8 +374,11 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
            ffio_read_varlen(pb); // len_3
            num_data = avio_r8(pb);
            for (j = 0; j < num_data; j++) {
-                data_len[j] = ffio_read_varlen(pb);
-                xd_size += data_len[j];
+                uint64_t len = ffio_read_varlen(pb);
+                if (len > INT_MAX/2 - xd_size)
+                    return AVERROR_INVALIDDATA;
+                data_len[j] = len;
+                xd_size += len;
            }

            st->codecpar->extradata_size = 64 + xd_size + xd_size / 255;