Ensure box clap values are sanitised

Add two test cases to fuzz corpus to help prevent regression Prevents possible integer overflows and floating point exceptions
gitiles · Nov 2, 2020 · 45503a7 · 45503a7
1 parent f27532f
commit 45503a7
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 8 deletions.
diff --git a/fuzzing/corpus/github_367_1.heic b/fuzzing/corpus/github_367_1.heic
diff --git a/fuzzing/corpus/github_367_2.heic b/fuzzing/corpus/github_367_2.heic
diff --git a/libheif/box.cc b/libheif/box.cc
@@ -2298,14 +2298,10 @@ Error Box_clap::parse(BitstreamRange& range)
 {
   //parse_full_box_header(range);
 
-  m_clean_aperture_width.numerator = range.read32();
-  m_clean_aperture_width.denominator = range.read32();
-  m_clean_aperture_height.numerator = range.read32();
-  m_clean_aperture_height.denominator = range.read32();
-  m_horizontal_offset.numerator = range.read32();
-  m_horizontal_offset.denominator = range.read32();
-  m_vertical_offset.numerator = range.read32();
-  m_vertical_offset.denominator = range.read32();
+  m_clean_aperture_width = Fraction(range.read32(), range.read32());
+  m_clean_aperture_height = Fraction(range.read32(), range.read32());
+  m_horizontal_offset = Fraction(range.read32(), range.read32());
+  m_vertical_offset = Fraction(range.read32(), range.read32());
   if (!m_clean_aperture_width.is_valid() || !m_clean_aperture_height.is_valid() ||
       !m_horizontal_offset.is_valid() || !m_vertical_offset.is_valid()) {
     return Error(heif_error_Invalid_input,