aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2021-09-15 21:52:00 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2021-09-26 17:22:18 +0200
commit451ceb5131fa67b0b380d4823981e421909c16db (patch)
tree0c2e4f97b70df6454fa61f73b11125dd4b1e193d /libavformat
parent20afd3a63a75a160f61a98a8dcfe06f527ea19b4 (diff)
downloadffmpeg-451ceb5131fa67b0b380d4823981e421909c16db.tar.gz
avformat/mov: Fix last mfra check
Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long' Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/mov.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index bbb45864df..d0b8b2595b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5122,7 +5122,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
// See if the remaining bytes are just an mfra which we can ignore.
is_complete = offset == stream_size;
- if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) {
+ if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) {
int64_t ret;
int64_t original_pos = avio_tell(pb);
if (!c->have_read_mfra_size) {
@@ -5133,7 +5133,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0)
return ret;
}
- if (offset + c->mfra_size == stream_size)
+ if (offset == stream_size - c->mfra_size)
is_complete = 1;
}