PR #22348 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348.patch
Found-by: Quang Luong <[email protected]> Found-by: PrymEvol Signed-off-by: Michael Niedermayer <[email protected]> >From 994ec6b96367ec56780bb3748c0b37161a4e4339 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 24 Feb 2026 03:47:15 +0100 Subject: [PATCH] avformat/mov: use 64bit in CENC subsample bounds checks Found-by: Quang Luong <[email protected]> Found-by: PrymEvol Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/mov.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 311aff7d14..0554a8185c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8201,7 +8201,7 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption } for (i = 0; i < sample->subsample_count; i++) { - if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { + if (sample->subsamples[i].bytes_of_clear_data + (uint64_t)sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); return AVERROR_INVALIDDATA; } @@ -8262,7 +8262,7 @@ static int cbc1_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption } for (i = 0; i < sample->subsample_count; i++) { - if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { + if (sample->subsamples[i].bytes_of_clear_data + (uint64_t)sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); return AVERROR_INVALIDDATA; } @@ -8330,7 +8330,7 @@ static int cens_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption } for (i = 0; i < sample->subsample_count; i++) { - if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { + if (sample->subsamples[i].bytes_of_clear_data + (uint64_t)sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); return AVERROR_INVALIDDATA; } @@ -8401,7 +8401,7 @@ static int cbcs_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption } for (i = 0; i < sample->subsample_count; i++) { - if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { + if (sample->subsamples[i].bytes_of_clear_data + (uint64_t)sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); return AVERROR_INVALIDDATA; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
