[FFmpeg-devel] [PATCH] Fix signed integer overflows

Tue Aug 22 20:13:28 EEST 2017

What else can I do yo make it accepted?

On Sun, Aug 20, 2017 at 11:56 AM, Vitaly Buka <vitalybuka at google.com> wrote:

> Signed integer overflow is undefined behavior.
> Detected with clang and -fsanitize=signed-integer-overflow
>
> Signed-off-by: Vitaly Buka <vitalybuka at google.com>
> ---
>  libavcodec/utils.c    | 2 +-
>  libavformat/aviobuf.c | 2 ++
>  libavformat/mov.c     | 2 +-
>  3 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/utils.c b/libavcodec/utils.c
> index 1336e921c9..1b8ad1d200 100644
> --- a/libavcodec/utils.c
> +++ b/libavcodec/utils.c
> @@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
>          }
>
>          if (!avctx->rc_initial_buffer_occupancy)
> -            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size *
> 3 / 4;
> +            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size *
> 3LL / 4;
>
>          if (avctx->ticks_per_frame && avctx->time_base.num &&
>              avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
> diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
> index 7f4e740a33..ec21fc7d38 100644
> --- a/libavformat/aviobuf.c
> +++ b/libavformat/aviobuf.c
> @@ -259,6 +259,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
> whence)
>          offset1 = pos + (s->buf_ptr - s->buffer);
>          if (offset == 0)
>              return offset1;
> +        if (offset > INT64_MAX - offset1)
> +            return AVERROR(EINVAL);
>          offset += offset1;
>      }
>      if (offset < 0)
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 522ce60c2d..a14c9f182b 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c,
> AVIOContext *pb, MOVAtom atom)
>
>      if (atom.size < 0)
>          atom.size = INT64_MAX;
> -    while (total_size + 8 <= atom.size && !avio_feof(pb)) {
> +    while (total_size <= atom.size - 8 && !avio_feof(pb)) {
>          int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
>          a.size = atom.size;
>          a.type=0;
> --
> 2.14.1.480.gb18f417b89-goog
>
>