[FFmpeg-devel] [PATCH 5/5] avformat/mov: Extend data_size check in mov_read_udta_string()
Michael Niedermayer
michael at niedermayer.cc
Sun Dec 13 02:30:31 EET 2020
Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int'
Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 710a15dea8..5d526a634d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -402,7 +402,7 @@ retry:
if (c->itunes_metadata && atom.size > 8) {
int data_size = avio_rb32(pb);
int tag = avio_rl32(pb);
- if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) {
+ if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) {
data_type = avio_rb32(pb); // type
avio_rb32(pb); // unknown
str_size = data_size - 16;
--
2.17.1
More information about the ffmpeg-devel
mailing list