avformat/mov: Limit maximum box size for mov_read_lhvc()

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
2026-06-04 22:50:24 +00:00 · 2026-04-22 20:19:02 +00:00 · 2026-04-22 20:19:02 +00:00 · a7d42bfba8
commit a7d42bfba8
parent e294b390a0
1 changed files with 3 additions and 1 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -8683,8 +8683,10 @@ static int mov_read_lhvc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
        // TODO: handle lhvC when present before hvcC
        return 0;

-    if (atom.size < 6 || st->codecpar->extradata_size < 23)
+    if (atom.size < 6 || st->codecpar->extradata_size < 23 ||
+        atom.size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
        return AVERROR_INVALIDDATA;
+    }

    buf = av_malloc(atom.size + AV_INPUT_BUFFER_PADDING_SIZE);
    if (!buf)