From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 7501249147 for ; Thu, 15 Jan 2026 20:16:04 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'5jK9GZLGgnhnvLPQv/z7l6yXctqwtbDWhBdyckw2hPU=', expected b'0wBfeJxYpyf8D/hJ91bos21Lj6Q8P0poZo88WujLTWo=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768508151; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=5jK9GZLGgnhnvLPQv/z7l6yXctqwtbDWhBdyckw2hPU=; b=f2j6HrXY6gp2vGas9JRPIso8uCpPsn6FQjGQ+Y95GisQgfAuaOv8O64TM5fHD7J/JfVaW IE3gSrULdSOLy473MsxWeq/XB1dpH/ksotg+v8JG071jMFebyyGxMZfittSsdc50UM/2sv5 I2gUdXA4P/iM/yq8hIsrREQONPP64rP0Ze2XcRrpd3NjESxpdVAE8nmVKsCdjlI4O8F7RUz y52hDPkS+0QjP0AIwVbRbxLYuq1hgP0MULIp39CQWX5gk4+vRDc/XSaQj3efi/61coLa/HB HCnuWM5zyLOsdLQNo2lIeseRF7yeuI0q8j1caGrnRC9y1lsbi0qeKOj6nt6w== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 3A6C4690DDA; Thu, 15 Jan 2026 22:15:51 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768508136; b=ZR0uZliEOK6QSA+YchzL2GalHYCO9g01xB7yJGNL/0NSzbdGm8biL7TTKpV1QfEiHjGNI BoVkGcrfFaCm29JhqiF10Hn62K8d0vZqrcc/6mpE5bZBTwfcWC8bs+g6scGAytUJCVUCwrX +j688vaVKjWlLKiBJD7wYseydWExbyO8Z/tHRq6R18WcR7YGGNCMf2PHfMMYwGqdL6xMnVt SsWpoEsNGEd/PR/OPAMJHGZzJANFIOS1iHDR4nRpWwsiO+ytPD/4PJEHOaKbfIR1jVmpuqL OISEkFXMvvVqDxNBzW+eWQdAZGbLkmWmGv5HGEC/FT8Cal8ALSTpr5ZS1ccw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768508136; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=lWi1YBp1Dr7n7BPQVTEFddSRk6bsIroFmbEmH44NOBA=; b=aevoyyj1W6d65iv5W+WIDC6k7UyR9FxeiLx2htsNegFWGIaYRFeVjiDLTB5nsklifo477 vGRWVHs1MEpfTPPDxgs3XvyCySjvd9dQXGfl5f2604VuzftppC42ptYIhXPj7Xbx15d/ouA wbs4wkp1tCXW0jFePdI7t9OlV8FyN3Xui21wh4mBEtNQk/OwMz5d+TCOf/fVxXfie4CsIeP 7nPhFHUwJuQOSKuadPUxThvf9UxMY/+9s2Q88d1LYT3tHCCS8+9UJ6PhOXPmwDk+yWISwEq gdgSzbdOnF0FqMLYMEw4rrWlNGGSZsbHgXxarfq1tto4lFculPmj9SArIZMw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768508126; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=0wBfeJxYpyf8D/hJ91bos21Lj6Q8P0poZo88WujLTWo=; b=kcXvX6QbiMVqnRx1QC4xPKSsaWLT/ux/HY0TJYyuub1wGTovvq2uc6OyIQbCGXu2x9/rZ /W+bi/pKoWoJn84pdI+nP4N6sHg/GuW8IWdELDlxQX6So70XDw9urRZl6IfxX1s+W6/rhLu wMzYEA2l7ujThJ7GAv4cuq339zWC9d4lln/voGCsVl0oFLne/ltt/J72rg3vy4e5OvWJjxO 5+TyXfivGygwkQfxZQji9I1FBXWJ999gkBpge3VndMRpyfZjZ6Zv1XKvM1Og1pDX6z0ILoU amlTSyogaOhdGNMEWQz8/7EZubmVR4AUv3AvIs8iKoQAXG2bShQWXvmD5fjw== Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 8AF2D690DA1 for ; Thu, 15 Jan 2026 22:15:26 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Thu, 15 Jan 2026 20:15:26 -0000 Message-ID: <176850812670.25.12060650163135560480@4457048688e7> Message-ID-Hash: LPZBSWHLAS67MYH6EO2XXOTNFZD3DTRG X-Message-ID-Hash: LPZBSWHLAS67MYH6EO2XXOTNFZD3DTRG X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avformat/mov: add overflow checks to item offset values (PR #21479) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: James Almer via ffmpeg-devel Cc: James Almer Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21479 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21479 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21479.patch Fixes issue #21478. >>From d2b178764600839d76a4437e3d7bbc808b38ed10 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 15 Jan 2026 17:14:29 -0300 Subject: [PATCH] avformat/mov: add overflow checks to item offset values Fixes issue #21478. Signed-off-by: James Almer --- libavformat/mov.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 009ddfec80..f219dd2625 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -10252,6 +10252,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10335,6 +10338,9 @@ static int read_image_iovl(AVFormatContext *s, const HEIFGrid *grid, offset = c->idat_offset; } + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, item->extent_offset + offset, SEEK_SET); avio_r8(s->pb); /* version */ @@ -10408,6 +10414,9 @@ static int mov_parse_exif_item(AVFormatContext *s, if (!buf) return AVERROR(ENOMEM); + if (offset > INT64_MAX - ref->extent_offset) + return AVERROR_INVALIDDATA; + avio_seek(s->pb, ref->extent_offset + offset, SEEK_SET); err = avio_read(s->pb, buf->data, ref->extent_length); if (err != ref->extent_length) { @@ -10621,6 +10630,9 @@ static int mov_parse_heif_items(AVFormatContext *s) if (err) return AVERROR_INVALIDDATA; + if (offset > INT64_MAX - item->extent_offset) + return AVERROR_INVALIDDATA; + sc->chunk_offsets[0] = item->extent_offset + offset; if (item->item_id == mov->primary_item_id) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org