Skip to content

Commit 63896dd

Browse files
baumanjbaumanj
committed
Gracefully fail when the number of bytes a ctts box reports overflows u32
Resolves https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35486
1 parent 38aa6f7 commit 63896dd

File tree

3 files changed

+11
-6
lines changed

3 files changed

+11
-6
lines changed

mp4parse/src/lib.rs

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3439,11 +3439,9 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {
34393439

34403440
let counts = be_u32(src)?;
34413441

3442-
if src.bytes_left()
3443-
< counts
3444-
.checked_mul(8)
3445-
.expect("counts -> bytes overflow")
3446-
.into()
3442+
if counts
3443+
.checked_mul(8)
3444+
.map_or(true, |bytes| u64::from(bytes) > src.bytes_left())
34473445
{
34483446
return Err(Error::InvalidData("insufficient data in 'ctts' box"));
34493447
}
@@ -3469,7 +3467,7 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {
34693467
})?;
34703468
}
34713469

3472-
skip_box_remain(src)?;
3470+
check_parser_state!(src.content);
34733471

34743472
Ok(CompositionOffsetBox { samples: offsets })
34753473
}

mp4parse/tests/clusterfuzz-testcase-minimized-mp4-6093954524250112

56 Bytes
Binary file not shown.

mp4parse/tests/public.rs

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -723,6 +723,13 @@ fn public_mp4_bug_1185230() {
723723
assert_eq!(number_audio_tracks, 2);
724724
}
725725

726+
#[test]
727+
fn public_mp4_ctts_overflow() {
728+
let input = &mut File::open("tests/clusterfuzz-testcase-minimized-mp4-6093954524250112")
729+
.expect("Unknown file");
730+
assert_invalid_data(mp4::read_mp4(input), "insufficient data in 'ctts' box");
731+
}
732+
726733
#[test]
727734
fn public_avif_primary_item() {
728735
let input = &mut File::open(IMAGE_AVIF).expect("Unknown file");

0 commit comments

Comments
 (0)