diff options
| author | James Almer <jamrial@gmail.com> | 2025-06-04 14:02:15 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2025-06-22 10:30:03 -0300 |
| commit | f789d60e115e3e2ef48d36c5fa43686a6cf3f9c8 (patch) | |
| tree | 0c960fad959f308424090f59bb4341df02ff337b | |
| parent | dbe94e1110090fbfd0a105c847298d8e3fbc92f1 (diff) | |
| download | ffmpeg-f789d60e115e3e2ef48d36c5fa43686a6cf3f9c8.tar.gz | |
avformat/mov: add more sanity checks when reading clap boxes
If the apperture window is bigger than the canvas, then the clap box is invalid
and there's no point calculating cropping values.
Fixes: libavformat/mov.c:1295:14: runtime error: -256 is outside the range of representable values of type 'unsigned long'
Signed-off-by: James Almer <jamrial@gmail.com>
| -rw-r--r-- | libavformat/mov.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index a2a9c10f20..0f4a5cd9a3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1277,6 +1277,11 @@ static int mov_read_clap(MOVContext *c, AVIOContext *pb, MOVAtom atom) err = AVERROR_INVALIDDATA; goto fail; } + if ((av_cmp_q((AVRational) { width, 1 }, aperture_width) < 0) || + (av_cmp_q((AVRational) { height, 1 }, aperture_height) < 0)) { + err = AVERROR_INVALIDDATA; + goto fail; + } av_log(c->fc, AV_LOG_TRACE, "clap: apertureWidth %d/%d, apertureHeight %d/%d " "horizOff %d/%d vertOff %d/%d\n", aperture_width.num, aperture_width.den, aperture_height.num, aperture_height.den, |