[FFmpeg-devel] [PATCH 5/5] avformat/mov: Fix last mfra check
Michael Niedermayer
michael at niedermayer.cc
Wed Sep 15 23:00:48 EEST 2021
Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long'
Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/mov.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4bc42d6b20e..d816242c0b7 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5109,7 +5109,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
// See if the remaining bytes are just an mfra which we can ignore.
is_complete = offset == stream_size;
- if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) {
+ if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) {
int64_t ret;
int64_t original_pos = avio_tell(pb);
if (!c->have_read_mfra_size) {
@@ -5120,7 +5120,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0)
return ret;
}
- if (offset + c->mfra_size == stream_size)
+ if (offset == stream_size - c->mfra_size)
is_complete = 1;
}
--
2.17.1
More information about the ffmpeg-devel
mailing list