diff mbox series

[FFmpeg-devel,5/5] avformat/mov: Extend data_size check in mov_read_udta_string()

Message ID 20201213003031.14698-5-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/5] avformat/voc_packet: Add a basic check on max_size
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Dec. 13, 2020, 12:30 a.m. UTC
Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int'
Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 710a15dea8..5d526a634d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -402,7 +402,7 @@  retry:
     if (c->itunes_metadata && atom.size > 8) {
         int data_size = avio_rb32(pb);
         int tag = avio_rl32(pb);
-        if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) {
+        if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) {
             data_type = avio_rb32(pb); // type
             avio_rb32(pb); // unknown
             str_size = data_size - 16;