[FFmpeg-devel] [PATCH] avformat/mov: fix potential unsigned underflow in loop condition
Andreas Rheinhardt
andreas.rheinhardt at outlook.com
Mon Jan 13 23:22:32 EET 2025
James Almer:
> if sc->tts_count is 0, this condition will wrap around to UINT_MAX and the
> code will try to dereference a NULL pointer.
>
> Fixes ticket #11417
>
> Signed-off-by: James Almer <jamrial at gmail.com>
> ---
> libavformat/mov.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 405d61fdf5..50ecf6e2b2 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5191,7 +5191,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> }
>
> #if FF_API_R_FRAME_RATE
> - for (int i = 1; sc->stts_count && i < sc->tts_count - 1; i++) {
> + for (int i = 1; sc->stts_count && i < (int64_t)sc->tts_count - 1; i++) {
> if (sc->tts_data[i].duration == sc->tts_data[0].duration)
> continue;
> stts_constant = 0;
Wouldn't i + 1 < sc->tts_count be a more readable alternative (that
would also avoid a cast and 64bit arithmetic)?
- Andreas
More information about the ffmpeg-devel
mailing list