diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2023-02-20 19:19:32 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-03-27 13:37:18 +0200 |
| commit | 33785a4fd9148a69cbab48ed65be16c20c1328e2 (patch) | |
| tree | f3a4274f9833ccd4a7b5c8a84708bc1d777c85d8 | |
| parent | 123181bca4df491153e2aba38db2f213ac6bde98 (diff) | |
| download | ffmpeg-33785a4fd9148a69cbab48ed65be16c20c1328e2.tar.gz | |
avformat/mov: Check samplesize and offset to avoid integer overflow
Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/mov.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 6fb09df7e1..4dc95c96a3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3973,6 +3973,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; |