[FFmpeg-devel] [PATCH 3/3] avformat/mov: Fix overflow in corrected_dts
James Almer
jamrial at gmail.com
Sat Nov 30 04:39:06 EET 2024
On 11/29/2024 11:20 PM, Michael Niedermayer wrote:
> This fix doesnt feel optimal, better fix is welcome
Would you be ok with the C23 stdckdint.h compat header patch i sent two
months ago being committed and used for this kind of overflow?
I ask because the only con from using it is that backports to existing
branches will either require said header also being included in them, or
a different fix being applied.
>
> Fixes: signed integer overflow: -9223091047224049440 + -281474976645120 cannot be represented in type 'long long'
> Fixes: 376128123/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4533016505942016
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mov.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 3cfcade4d82..f08834417df 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -3533,7 +3533,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> av_log(c->fc, AV_LOG_WARNING, "Too large sample offset %u in stts entry %u with count %u in st:%d. Clipping to 1.\n",
> sample_duration, i, sample_count, st->index);
> sc->stts_data[i].duration = 1;
> - corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count;
> + corrected_dts += (delta_magnitude < 0 ? (uint64_t)delta_magnitude : 1) * sample_count;
> } else {
> corrected_dts += sample_duration * (uint64_t)sample_count;
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241129/a89cd24f/attachment.sig>
More information about the ffmpeg-devel
mailing list