Protect against oversized (out of bounds) samples in avif sample tables Fixes oss-fuzz @ 21947

commit: 34c0d3147f3d30e1218bceda410c978481a5e1be [log] [tgz]
author: Joe Drago <jdrago@netflix.com> Thu Apr 30 15:23:03 2020 -0700
committer: Joe Drago <jdrago@netflix.com> Thu Apr 30 15:24:38 2020 -0700
tree: d41814faa7a22d2067e9b290c646d8c5a2ae3b27
parent: a7d479eccdf4728f7209dbdcd6ada8ecaca64b4f [diff]
diff --git a/src/read.c b/src/read.c
index 735d841..f258846 100644
--- a/src/read.c
+++ b/src/read.c

@@ -344,6 +344,9 @@
             if (sampleOffset > (uint64_t)rawInput->size) {
                 return AVIF_FALSE;
             }
+            if ((sampleOffset + sampleSize) > (uint64_t)rawInput->size) {
+                return AVIF_FALSE;
+            }
 
             sampleOffset += sampleSize;
             ++sampleSizeIndex;
commit	34c0d3147f3d30e1218bceda410c978481a5e1be	[log] [tgz]
author	Joe Drago <jdrago@netflix.com>	Thu Apr 30 15:23:03 2020 -0700
committer	Joe Drago <jdrago@netflix.com>	Thu Apr 30 15:24:38 2020 -0700
tree	d41814faa7a22d2067e9b290c646d8c5a2ae3b27
parent	a7d479eccdf4728f7209dbdcd6ada8ecaca64b4f [diff]