[FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset
James Almer
jamrial at gmail.com
Tue Jun 18 03:41:49 EEST 2024
On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mov.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 9016cd5ad08..46cbce98040 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> }
> for (int j = 0; j < extent_count; j++) {
> if (rb_size(pb, &extent_offset, offset_size) < 0 ||
> - rb_size(pb, &extent_length, length_size) < 0)
> + rb_size(pb, &extent_length, length_size) < 0 ||
> + base_offset < 0 || extent_offset < 0 ||
> + base_offset + (uint64_t)extent_offset > INT64_MAX)
You can do the negative value check directly in rb_size() instead. And
I'd prefer the other check to be (base_offset > INT64_MAX - extent_offset).
> return AVERROR_INVALIDDATA;
> if (offset_type == 1)
> c->heif_item[i].is_idat_relative = 1;
More information about the ffmpeg-devel
mailing list