| Message ID | 20230220192929.4493-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 53c1f5c2e28e54ea8174b196d5cf4a158907395a |
| Headers | show |
| Series | [FFmpeg-devel,1/6] avformat/mov: Check samplesize and offset to avoid integer overflow | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
Hi On Mon, Feb 20, 2023 at 08:29:24PM +0100, Michael Niedermayer wrote: > Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' > Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mov.c | 7 +++++++ > 1 file changed, 7 insertions(+) will apply patchset [...]
diff --git a/libavformat/mov.c b/libavformat/mov.c index 6ab43b00c6..8af564ed61 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4192,6 +4192,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e;
Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+)