PR #21479 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21479 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21479.patch
Fixes issue #21478. >From d2b178764600839d76a4437e3d7bbc808b38ed10 Mon Sep 17 00:00:00 2001 From: James Almer <[email protected]> Date: Thu, 15 Jan 2026 17:14:29 -0300 Subject: [PATCH] avformat/mov: add overflow checks to item offset values Fixes issue #21478. Signed-off-by: James Almer <[email protected]> --- libavformat/mov.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 009ddfec80..f219dd2625 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -10252,6 +10252,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10335,6 +10338,9 @@ static int read_image_iovl(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10408,6 +10414,9 @@ static int mov_parse_exif_item(AVFormatContext *s, if (!buf) return AVERROR(ENOMEM); + if (offset > INT64_MAX - ref->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, ref->extent_offset + offset, SEEK_SET); err = avio_read(s->pb, buf->data, ref->extent_length); if (err != ref->extent_length) { @@ -10621,6 +10630,9 @@ static int mov_parse_heif_items(AVFormatContext *s) if (err) return AVERROR_INVALIDDATA; + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + sc->chunk_offsets[0] = item->extent_offset + offset; if (item->item_id == mov->primary_item_id) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
