This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 7399d533acba897c915fe13a1a520cee9b26ec02 Author: James Almer <[email protected]> AuthorDate: Thu Jan 15 17:14:29 2026 -0300 Commit: James Almer <[email protected]> CommitDate: Thu Mar 5 23:11:12 2026 -0300 avformat/mov: add overflow checks to item offset values Fixes issue #21478. Signed-off-by: James Almer <[email protected]> (cherry picked from commit 52b19773530f332d546360dfd6142674d077d8d9) --- libavformat/mov.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8dd72b7c2a..fc3ed6a07e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -10198,6 +10198,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10296,6 +10299,9 @@ static int read_image_iovl(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10488,6 +10494,9 @@ static int mov_parse_heif_items(AVFormatContext *s) if (err) return AVERROR_INVALIDDATA; + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + sc->chunk_offsets[0] = item->extent_offset + offset; if (item->item_id == mov->primary_item_id) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
