]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 718e03e)
avformat/mov: check for pts overflow in mov_read_sidx()
authorMichael Niedermayer <michael@niedermayer.cc>
Thu, 15 Apr 2021 16:43:25 +0000 (18:43 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 22 Apr 2021 13:06:55 +0000 (15:06 +0200)
Fixes: signed integer overflow: 9223372036846336888 + 4278255871 cannot be represented in type 'long'
Fixes: 32782/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6059216516284416
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c patch | blob | history

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9ca1ac89a86f767d5448a49def40593bf942075c..bf29060973af8c5407f790ded2a60919ad7e58e2 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5111,7 +5111,9 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         if (frag_stream_info)
             frag_stream_info->sidx_pts = timestamp;
 
-        if (av_sat_add64(offset, size) != offset + size)
+        if (av_sat_add64(offset, size) != offset + size ||
+            av_sat_add64(pts, duration) != pts + (uint64_t)duration
+        )
             return AVERROR_INVALIDDATA;
         offset += size;
         pts += duration;
Unnamed repository; edit this file 'description' to name the repository.