projects / ffmpeg.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4d38b33)
avformat/mov: reject negative ELST durations
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 10 May 2025 21:39:53 +0000 (23:39 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 4 Aug 2025 14:36:06 +0000 (16:36 +0200)
Fixes: multiple integer overflows
Fixes: 401016767/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6242067591790592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9fc2702f6f502064d0d2d75c97ece33f4b56eb84)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/mov.c patch | blob | history

diff --git a/libavformat/mov.c b/libavformat/mov.c
index a95f9ea1356ae73df40b991806ff03cb022fb4ea..be859532222f4669747070ed71a4823dfb3ae817 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5556,6 +5556,11 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom)
                    c->fc->nb_streams-1, i, e->time);
             return AVERROR_INVALIDDATA;
         }
+        if (e->duration < 0) {
+            av_log(c->fc, AV_LOG_ERROR, "Track %d, edit %d: Invalid edit list duration=%"PRId64"\n",
+                   c->fc->nb_streams-1, i, e->duration);
+            return AVERROR_INVALIDDATA;
+        }
     }
     sc->elst_count = i;
 
FFmpeg git repo