aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/mov.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2023-02-20 19:19:32 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2023-02-22 18:01:37 +0100
commit53c1f5c2e28e54ea8174b196d5cf4a158907395a (patch)
tree9f9bec03f1bfd38bacb7e6c0d36c0eecd2fa8b2b /libavformat/mov.c
parentd5cc7acff1a4ea3e14d67faf99966c31a30d2a4d (diff)
downloadffmpeg-53c1f5c2e28e54ea8174b196d5cf4a158907395a.tar.gz
avformat/mov: Check samplesize and offset to avoid integer overflow
Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/mov.c')
-rw-r--r--libavformat/mov.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6ab43b00c6..8af564ed61 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4192,6 +4192,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
if (keyframe)
distance = 0;
sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample];
+ if (current_offset > INT64_MAX - sample_size) {
+ av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n",
+ current_offset,
+ sample_size);
+ return;
+ }
+
if (sc->pseudo_stream_id == -1 ||
sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) {
AVIndexEntry *e;