avformat/mov: Fix last mfra check

Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long' Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-09-15 21:52:00 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-26 17:22:18 +0200
commit: 451ceb5131fa67b0b380d4823981e421909c16db (patch)
tree: 0c2e4f97b70df6454fa61f73b11125dd4b1e193d /libavformat/mov.c
parent: 20afd3a63a75a160f61a98a8dcfe06f527ea19b4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index bbb45864df..d0b8b2595b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5122,7 +5122,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     // See if the remaining bytes are just an mfra which we can ignore.
     is_complete = offset == stream_size;
-    if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) {
+    if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) {
         int64_t ret;
         int64_t original_pos = avio_tell(pb);
         if (!c->have_read_mfra_size) {
@@ -5133,7 +5133,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0)
                 return ret;
         }
-        if (offset + c->mfra_size == stream_size)
+        if (offset == stream_size - c->mfra_size)
             is_complete = 1;
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2021-09-15 21:52:00 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-26 17:22:18 +0200
commit	451ceb5131fa67b0b380d4823981e421909c16db (patch)
tree	0c2e4f97b70df6454fa61f73b11125dd4b1e193d /libavformat/mov.c
parent	20afd3a63a75a160f61a98a8dcfe06f527ea19b4 (diff)