avformat/mov: reject out of range ispe dimensions, avoid overflow summing HEIF tile...
authorMichael Niedermayer <michael@niedermayer.cc>
Thu, 11 Jun 2026 14:34:26 +0000 (16:34 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 Jun 2026 02:41:06 +0000 (04:41 +0200)
commit31a192f5dd75be9f7520db29ce44fa8f36ae8ba3
tree038efe7decb55997a8a718cf42483f3b045312e0
parenta4152636b8b094e8f0447773678c75b947d083f0
avformat/mov: reject out of range ispe dimensions, avoid overflow summing HEIF tile dimensions

ispe width/height are read as uint32 but stored in int HEIFItem fields;
values above INT_MAX became negative, and read_image_grid() summing such
widths into coded_width overflowed int:
libavformat/mov.c:10404:33: runtime error: signed integer overflow: -2147483647 + -2147483647 cannot be represented in type 'int'

Also accumulate the grid tile dimensions and running offsets in 64bit
and validate the totals, as up to 256 tile columns of individually
valid widths can still overflow int.

Found-by: 51511
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2cc7b87bdb75bcb59bf8bcd5296ca43f89b3a909)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c