Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <mich...@niedermayer.cc> a écrit : >Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 >cannot be represented in type 'long' >Fixes: >68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832 > >Found-by: continuous fuzzing process >https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >--- > libavformat/mov.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/libavformat/mov.c b/libavformat/mov.c >index 9016cd5ad08..46cbce98040 100644 >--- a/libavformat/mov.c >+++ b/libavformat/mov.c >@@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, >MOVAtom atom) > } > for (int j = 0; j < extent_count; j++) { > if (rb_size(pb, &extent_offset, offset_size) < 0 || >- rb_size(pb, &extent_length, length_size) < 0) >+ rb_size(pb, &extent_length, length_size) < 0 || >+ base_offset < 0 || extent_offset < 0 || >+ base_offset + (uint64_t)extent_offset > INT64_MAX)
Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have? > return AVERROR_INVALIDDATA; > if (offset_type == 1) > c->heif_item[i].is_idat_relative = 1; _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
