[FFmpeg-devel] [PATCHv2] avformat/mov: fix integer overflow

Michael Niedermayer michael at niedermayer.cc
Tue Oct 13 19:49:40 CEST 2015

On Tue, Oct 13, 2015 at 12:26:24PM -0400, Ganesh Ajjanagadde wrote:
> Partially fixes Ticket 4727.
> -duration is not a safe expression, since duration can be INT_MIN.
> One might ask how it can become INT_MIN.
> Although it is true that line 2574 is no longer reached with INT_MIN due
> to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
> integer overflow issue), mov_update_dts_shift is called on line 3549 as
> well, right after a read of untrusted data.
> One can do the fix locally there, but that function is already a huge
> mess. Changing mov_update_dts_shift is likely better.
> This changes duration to INT_MIN + 1 in such cases. This should not make any
> practical difference since such streams are anyway fuzzer files.
> Tested with FATE.
> Signed-off-by: Ganesh Ajjanagadde <gajjanagadde at gmail.com>
> ---
>  libavformat/mov.c | 4 ++++
>  1 file changed, 4 insertions(+)



Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151013/973e4cc6/attachment.sig>

More information about the ffmpeg-devel mailing list