From 451ceb5131fa67b0b380d4823981e421909c16db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 21:52:00 +0200 Subject: [PATCH] avformat/mov: Fix last mfra check Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long' Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bbb45864df..d0b8b2595b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5122,7 +5122,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) // See if the remaining bytes are just an mfra which we can ignore. is_complete = offset == stream_size; - if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) { + if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) { int64_t ret; int64_t original_pos = avio_tell(pb); if (!c->have_read_mfra_size) { @@ -5133,7 +5133,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0) return ret; } - if (offset + c->mfra_size == stream_size) + if (offset == stream_size - c->mfra_size) is_complete = 1; }