From 147f15aac87e7cc16a686f1a7f8b10a8549d7508 Mon Sep 17 00:00:00 2001
From: Victor Loh <vloh@fb.com>
Date: Wed, 20 Mar 2024 22:49:48 +0000
Subject: [PATCH 1/2] Fix overflow issues found by fuzzer

Fuzzer had caught a number of large malloc and these large malloc were caused
by overflow of AP4_UI32 causing the validation logic to be skipped.
---
 Source/C++/Core/Ap4Marlin.cpp   | 3 ++-
 Source/C++/Core/Ap4SaioAtom.cpp | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Source/C++/Core/Ap4Marlin.cpp b/Source/C++/Core/Ap4Marlin.cpp
index d0ddd3f31..d7215d6f4 100644
--- a/Source/C++/Core/Ap4Marlin.cpp
+++ b/Source/C++/Core/Ap4Marlin.cpp
@@ -1116,10 +1116,11 @@ AP4_MkidAtom::AP4_MkidAtom(AP4_Size        size,
                            AP4_ByteStream& stream) :
     AP4_Atom(AP4_ATOM_TYPE_MKID, size, version, flags)
 {
+    if (size < AP4_FULL_ATOM_HEADER_SIZE+4) return;
     AP4_Size available = size-(AP4_FULL_ATOM_HEADER_SIZE+4);
     AP4_UI32 entry_count = 0;
     stream.ReadUI32(entry_count);
-    if (available < entry_count*(16+4)) return;
+    if (available < (AP4_UI64)entry_count*(16+4)) return;
     m_Entries.SetItemCount(entry_count);
     for (unsigned int i=0; i<entry_count && available >= 16+4; i++) {
         AP4_UI32 entry_size;
diff --git a/Source/C++/Core/Ap4SaioAtom.cpp b/Source/C++/Core/Ap4SaioAtom.cpp
index b3b67640b..298a4e969 100644
--- a/Source/C++/Core/Ap4SaioAtom.cpp
+++ b/Source/C++/Core/Ap4SaioAtom.cpp
@@ -107,7 +107,7 @@ AP4_SaioAtom::AP4_SaioAtom(AP4_UI32        size,
     AP4_Result result = stream.ReadUI32(entry_count);
     if (AP4_FAILED(result)) return;
     remains -= 4;
-    if (remains < entry_count*(m_Version==0?4:8)) {
+    if (remains < (AP4_UI64)entry_count*(m_Version==0?4:8)) {
         return;
     }
     m_Entries.SetItemCount(entry_count);

From 3ed084f04c7d3baf1777f5c93927f76cd0f28319 Mon Sep 17 00:00:00 2001
From: Victor Loh <vloh@fb.com>
Date: Wed, 20 Mar 2024 23:27:36 +0000
Subject: [PATCH 2/2] Add boundary checks to Ap4IproAtom

Fuzzer caught another large malloc. This is caused by lack of boundary check
resulting in the next atom (children atom) to artificially large "size"
due to the underflow in bytes_available.
---
 Source/C++/Core/Ap4IproAtom.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Source/C++/Core/Ap4IproAtom.cpp b/Source/C++/Core/Ap4IproAtom.cpp
index 41c7429e8..6d4bae5ae 100644
--- a/Source/C++/Core/Ap4IproAtom.cpp
+++ b/Source/C++/Core/Ap4IproAtom.cpp
@@ -62,6 +62,10 @@ AP4_IproAtom::AP4_IproAtom(AP4_UI32         size,
                            AP4_AtomFactory& atom_factory) :
     AP4_ContainerAtom(AP4_ATOM_TYPE_IPRO, size, false, version, flags)
 {
+    if (size < AP4_FULL_ATOM_HEADER_SIZE + 2) {
+        return;
+    }
+
     // read the number of entries
     AP4_UI16 entry_count;
     stream.ReadUI16(entry_count);