1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00

avformat/mov: Check next offset in mov_read_dref()

Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-12-04 20:48:54 +01:00
parent bf1e93bdc9
commit 562021e2fd

View File

@ -610,11 +610,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 0; i < entries; i++) {
MOVDref *dref = &sc->drefs[i];
uint32_t size = avio_rb32(pb);
int64_t next = avio_tell(pb) + size - 4;
int64_t next = avio_tell(pb);
if (size < 12)
if (size < 12 || next < 0 || next > INT64_MAX - size)
return AVERROR_INVALIDDATA;
next += size - 4;
dref->type = avio_rl32(pb);
avio_rb32(pb); // version + flags