avformat/mov: check offset for overflow in mov_probe()

author Michael Niedermayer <michael@niedermayer.cc>

Sun, 4 Apr 2021 19:01:46 +0000 (21:01 +0200)

committer Michael Niedermayer <michael@niedermayer.cc>

Mon, 5 Apr 2021 16:41:59 +0000 (18:41 +0200)
author Michael Niedermayer <michael@niedermayer.cc>
Sun, 4 Apr 2021 19:01:46 +0000 (21:01 +0200)
committer Michael Niedermayer <michael@niedermayer.cc>
Mon, 5 Apr 2021 16:41:59 +0000 (18:41 +0200)
diff --git a/libavformat/mov.c b/libavformat/mov.c

index 7805330bf9e2667f14814114d390bbd7ffa83fcc..8d19824910ff850def164427dd0b968371351647 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7114,7 +7114,7 @@ static int mov_probe(const AVProbeData *p)
          int64_t size;
          int minsize = 8;
          /* ignore invalid offset */
-        if ((offset + 8) > (unsigned int)p->buf_size)
+        if ((offset + 8ULL) > (unsigned int)p->buf_size)
              break;
          size = AV_RB32(p->buf + offset);
          if (size == 1 && offset + 16 <= (unsigned int)p->buf_size) {
@@ -7161,6 +7161,8 @@ static int mov_probe(const AVProbeData *p)
              score  = FFMAX(score, AVPROBE_SCORE_EXTENSION);
              break;
          }
+        if (size > INT64_MAX - offset)
+            break;
          offset += size;
      }
      if (score > AVPROBE_SCORE_MAX - 50 && moov_offset != -1) {
author	Michael Niedermayer <michael@niedermayer.cc>
	Sun, 4 Apr 2021 19:01:46 +0000 (21:01 +0200)
committer	Michael Niedermayer <michael@niedermayer.cc>
	Mon, 5 Apr 2021 16:41:59 +0000 (18:41 +0200)