[FFmpeg-cvslog] avformat/mov: Check next offset in mov_read_dref()
Michael Niedermayer
git at videolan.org
Mon Apr 18 19:05:57 EEST 2022
ffmpeg | branch: release/3.2 | Michael Niedermayer <michael at niedermayer.cc> | Sat Dec 4 20:48:54 2021 +0100| [6cdc8b3c133a05f4d30654fcb0af3f3df51409e3] | committer: Michael Niedermayer
avformat/mov: Check next offset in mov_read_dref()
Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6cdc8b3c133a05f4d30654fcb0af3f3df51409e3
---
libavformat/mov.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index fde2a856ef..b6d97bf12a 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -590,11 +590,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 0; i < entries; i++) {
MOVDref *dref = &sc->drefs[i];
uint32_t size = avio_rb32(pb);
- int64_t next = avio_tell(pb) + size - 4;
+ int64_t next = avio_tell(pb);
- if (size < 12)
+ if (size < 12 || next < 0 || next > INT64_MAX - size)
return AVERROR_INVALIDDATA;
+ next += size - 4;
+
dref->type = avio_rl32(pb);
avio_rb32(pb); // version + flags
av_log(c->fc, AV_LOG_TRACE, "type %.4s size %d\n", (char*)&dref->type, size);
More information about the ffmpeg-cvslog
mailing list