mirror of https://git.ffmpeg.org/ffmpeg.git
avformat/mov: Extend data_size check in mov_read_udta_string()
Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int'
Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c4c53953
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
5ccb9ccea1
commit
6b0a5c6741
|
@ -404,7 +404,7 @@ retry:
|
|||
if (c->itunes_metadata && atom.size > 8) {
|
||||
int data_size = avio_rb32(pb);
|
||||
int tag = avio_rl32(pb);
|
||||
if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) {
|
||||
if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) {
|
||||
data_type = avio_rb32(pb); // type
|
||||
avio_rb32(pb); // unknown
|
||||
str_size = data_size - 16;
|
||||
|
|
Loading…
Reference in New Issue