[FFmpeg-devel] [PATCH] Fix signed integer overflows

James Almer jamrial at gmail.com
Tue Aug 22 20:31:37 EEST 2017 

On 8/22/2017 2:30 PM, Paul B Mahol wrote:
> On 8/22/17, Vitaly Buka <vitalybuka-at-google.com at ffmpeg.org> wrote:
>> What else can I do yo make it accepted?
> 
> Ping it after month or two?

A week is enough wait to justify a ping. A month is overkill.

> 
>>
>> On Sun, Aug 20, 2017 at 11:56 AM, Vitaly Buka <vitalybuka at google.com> wrote:
>>
>>> Signed integer overflow is undefined behavior.
>>> Detected with clang and -fsanitize=signed-integer-overflow
>>>
>>> Signed-off-by: Vitaly Buka <vitalybuka at google.com>
>>> ---
>>>  libavcodec/utils.c    | 2 +-
>>>  libavformat/aviobuf.c | 2 ++
>>>  libavformat/mov.c     | 2 +-
>>>  3 files changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/libavcodec/utils.c b/libavcodec/utils.c
>>> index 1336e921c9..1b8ad1d200 100644
>>> --- a/libavcodec/utils.c
>>> +++ b/libavcodec/utils.c
>>> @@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
>>>          }
>>>
>>>          if (!avctx->rc_initial_buffer_occupancy)
>>> -            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size *
>>> 3 / 4;
>>> +            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size *
>>> 3LL / 4;
>>>
>>>          if (avctx->ticks_per_frame && avctx->time_base.num &&
>>>              avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
>>> diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
>>> index 7f4e740a33..ec21fc7d38 100644
>>> --- a/libavformat/aviobuf.c
>>> +++ b/libavformat/aviobuf.c
>>> @@ -259,6 +259,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
>>> whence)
>>>          offset1 = pos + (s->buf_ptr - s->buffer);
>>>          if (offset == 0)
>>>              return offset1;
>>> +        if (offset > INT64_MAX - offset1)
>>> +            return AVERROR(EINVAL);
>>>          offset += offset1;
>>>      }
>>>      if (offset < 0)
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 522ce60c2d..a14c9f182b 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c,
>>> AVIOContext *pb, MOVAtom atom)
>>>
>>>      if (atom.size < 0)
>>>          atom.size = INT64_MAX;
>>> -    while (total_size + 8 <= atom.size && !avio_feof(pb)) {
>>> +    while (total_size <= atom.size - 8 && !avio_feof(pb)) {
>>>          int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
>>>          a.size = atom.size;
>>>          a.type=0;
>>> --
>>> 2.14.1.480.gb18f417b89-goog
>>>
>>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

More information about the ffmpeg-devel mailing list