From f789d60e115e3e2ef48d36c5fa43686a6cf3f9c8 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Wed, 4 Jun 2025 14:02:15 -0300
Subject: [PATCH] avformat/mov: add more sanity checks when reading clap boxes

If the apperture window is bigger than the canvas, then the clap box is invalid
and there's no point calculating cropping values.

Fixes: libavformat/mov.c:1295:14: runtime error: -256 is outside the range of representable values of type 'unsigned long'

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/mov.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index a2a9c10f20..0f4a5cd9a3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1277,6 +1277,11 @@ static int mov_read_clap(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         err = AVERROR_INVALIDDATA;
         goto fail;
     }
+    if ((av_cmp_q((AVRational) { width,  1 }, aperture_width)  < 0) ||
+        (av_cmp_q((AVRational) { height, 1 }, aperture_height) < 0)) {
+        err = AVERROR_INVALIDDATA;
+        goto fail;
+    }
     av_log(c->fc, AV_LOG_TRACE, "clap: apertureWidth %d/%d, apertureHeight %d/%d "
                                 "horizOff %d/%d vertOff %d/%d\n",
            aperture_width.num, aperture_width.den, aperture_height.num, aperture_height.den,