Rémi Denis-Courmont: > > > Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer > <mich...@niedermayer.cc> a écrit : >> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 >> cannot be represented in type 'long' >> Fixes: >> 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >> --- >> libavformat/mov.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/libavformat/mov.c b/libavformat/mov.c >> index 9016cd5ad08..46cbce98040 100644 >> --- a/libavformat/mov.c >> +++ b/libavformat/mov.c >> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext >> *pb, MOVAtom atom) >> } >> for (int j = 0; j < extent_count; j++) { >> if (rb_size(pb, &extent_offset, offset_size) < 0 || >> - rb_size(pb, &extent_length, length_size) < 0) >> + rb_size(pb, &extent_length, length_size) < 0 || >> + base_offset < 0 || extent_offset < 0 || >> + base_offset + (uint64_t)extent_offset > INT64_MAX) > > Can we please stop with the bespoke arithmetic overflow checks and add > dedicated helpers instead, similar to what GCC and C23 have? >
+1 >> return AVERROR_INVALIDDATA; >> if (offset_type == 1) >> c->heif_item[i].is_idat_relative = 1; _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
