diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-15 21:52:00 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-26 17:22:18 +0200 |
commit | 451ceb5131fa67b0b380d4823981e421909c16db (patch) | |
tree | 0c2e4f97b70df6454fa61f73b11125dd4b1e193d /libavformat | |
parent | 20afd3a63a75a160f61a98a8dcfe06f527ea19b4 (diff) | |
download | ffmpeg-451ceb5131fa67b0b380d4823981e421909c16db.tar.gz |
avformat/mov: Fix last mfra check
Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long'
Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/mov.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index bbb45864df..d0b8b2595b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5122,7 +5122,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) // See if the remaining bytes are just an mfra which we can ignore. is_complete = offset == stream_size; - if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) { + if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) { int64_t ret; int64_t original_pos = avio_tell(pb); if (!c->have_read_mfra_size) { @@ -5133,7 +5133,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0) return ret; } - if (offset + c->mfra_size == stream_size) + if (offset == stream_size - c->mfra_size) is_complete = 1; } |