From 562021e2fd4d74589905d9c566c686394d2b0526 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 4 Dec 2021 20:48:54 +0100
Subject: avformat/mov: Check next offset in mov_read_dref()

Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9ebfa0bcc7..2aed6e80ef 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -610,11 +610,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     for (i = 0; i < entries; i++) {
         MOVDref *dref = &sc->drefs[i];
         uint32_t size = avio_rb32(pb);
-        int64_t next = avio_tell(pb) + size - 4;
+        int64_t next = avio_tell(pb);
 
-        if (size < 12)
+        if (size < 12 || next < 0 || next > INT64_MAX - size)
             return AVERROR_INVALIDDATA;
 
+        next += size - 4;
+
         dref->type = avio_rl32(pb);
         avio_rb32(pb); // version + flags
 
-- 
cgit v1.2.3