virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
Code Issues Releases Activity

avformat/mov: Check next offset in mov_read_dref()

Browse Source 
Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 562021e2fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-12-04 20:48:54 +01:00
parent f433faed1e
commit f80d5425ae
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavformat/mov.c
View File

@ -603,11 +603,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 0; i < entries; i++) {
MOVDref *dref = &sc->drefs[i];
uint32_t size = avio_rb32(pb);
int64_t next = avio_tell(pb) + size - 4;
int64_t next = avio_tell(pb);
if (size < 12)
if (size < 12 || next < 0 || next > INT64_MAX - size)
return AVERROR_INVALIDDATA;
next += size - 4;
dref->type = avio_rl32(pb);
avio_rb32(pb); // version + flags