avformat/mov: Check next offset in mov_read_dref()

Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
pull/379/head
Michael Niedermayer 3 years ago
parent bf1e93bdc9
commit 562021e2fd
  1. 6
      libavformat/mov.c

@ -610,11 +610,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 0; i < entries; i++) { for (i = 0; i < entries; i++) {
MOVDref *dref = &sc->drefs[i]; MOVDref *dref = &sc->drefs[i];
uint32_t size = avio_rb32(pb); uint32_t size = avio_rb32(pb);
int64_t next = avio_tell(pb) + size - 4; int64_t next = avio_tell(pb);
if (size < 12) if (size < 12 || next < 0 || next > INT64_MAX - size)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
next += size - 4;
dref->type = avio_rl32(pb); dref->type = avio_rl32(pb);
avio_rb32(pb); // version + flags avio_rb32(pb); // version + flags

Loading…
Cancel
Save