diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-08-02 00:51:12 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-10-09 22:02:19 +0200 |
| commit | 28eecaca560e6671055321c761985b4a3d886b9b (patch) | |
| tree | 4665cd60caa7eb093050fa300453ecf3640ea3a3 | |
| parent | e5fa192bb7ade36972cd76ea3d1fc013edcb9cae (diff) | |
| download | ffmpeg-28eecaca560e6671055321c761985b4a3d886b9b.tar.gz | |
avformat/mov: Check comp_brand_size
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/mov.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index fa969ebb28..2c7bc45111 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1119,7 +1119,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) |