avformat/aaxdec: Check for overlaping segments

michaelni · michaelni · commit c16a0ed2422a · 2022-06-17T01:54:05.000+02:00
Fixes: Timeout Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
@@ -252,6 +252,10 @@ static int aax_read_header(AVFormatContext *s)
                 size  = avio_rb32(pb);
                 a->segments[r].start = start + a->data_offset;
                 a->segments[r].end   = a->segments[r].start + size;
+                if (r &&
+                    a->segments[r].start < a->segments[r-1].end &&
+                    a->segments[r].end   > a->segments[r-1].start)
+                    return AVERROR_INVALIDDATA;
             } else
                 return AVERROR_INVALIDDATA;
         }
