diff mbox series

[FFmpeg-devel,1/6] avformat/mov: Check samplesize and offset to avoid integer overflow

Message ID 20230220192929.4493-1-michael@niedermayer.cc
State Accepted
Commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a
Headers show
Series [FFmpeg-devel,1/6] avformat/mov: Check samplesize and offset to avoid integer overflow | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Feb. 20, 2023, 7:29 p.m. UTC
Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Michael Niedermayer Feb. 23, 2023, 10:14 p.m. UTC | #1
Hi

On Mon, Feb 20, 2023 at 08:29:24PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
> Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 7 +++++++
>  1 file changed, 7 insertions(+)

will apply patchset

[...]
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6ab43b00c6..8af564ed61 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4192,6 +4192,13 @@  static void mov_build_index(MOVContext *mov, AVStream *st)
                 if (keyframe)
                     distance = 0;
                 sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample];
+                if (current_offset > INT64_MAX - sample_size) {
+                    av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n",
+                           current_offset,
+                           sample_size);
+                    return;
+                }
+
                 if (sc->pseudo_stream_id == -1 ||
                    sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) {
                     AVIndexEntry *e;