[FFmpeg-devel] [PATCH] avformat/mov: abort reading truncated stts
Gyan Doshi
ffmpeg at gyani.pro
Mon Dec 20 22:36:13 EET 2021
On 2021-12-21 01:27 am, Andreas Rheinhardt wrote:
> Gyan Doshi:
>> Avoids overreading the box and ingesting absurd values into stts_data
>> ---
>>
>> Fixes prolonged demuxing for fuzzer-generated files in the loop added in
>> patch for max_stts_delta
>>
>> libavformat/mov.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 2aed6e80ef..8d88119b29 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -2935,6 +2935,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>> avio_rb24(pb); /* flags */
>> entries = avio_rb32(pb);
>>
>> + if (atom.size < 8 + entries*8) {
> This can overflow.
Can you illustrate?
atom.size is int64; entries is uint32.
And cppreference says,
"If the signed type can represent all values of the unsigned type, then
the operand with the unsigned type is implicitly converted to the signed
type. "
Gyan
More information about the ffmpeg-devel
mailing list