[FFmpeg-cvslog] avformat/mov: Fix integer overflows related to sample_duration

Sun, 11 Mar 2018 17:34:33 -0700 

ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Fri 
Mar  9 16:43:29 2018 +0100| [2f37082827a405430c40408ee2db19ea2866ce64] | 
committer: Michael Niedermayer

avformat/mov: Fix integer overflows related to sample_duration

Fixes: runtime error: signed integer overflow: -9166684017437101870 + 
-2495066639299164439 cannot be represented in type

Fixes: Chromium bug 791349

Reported-by: Matt Wolenetz <wolen...@google.com>
Reviewed-by: Matt Wolenetz <wolen...@google.com>
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2f37082827a405430c40408ee2db19ea2866ce64
---

 libavformat/mov.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 51228f5df2..b7f9c0cdd1 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2885,14 +2885,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
             && total_sample_count > 100
             && sample_duration/10 > duration / total_sample_count)
             sample_duration = duration / total_sample_count;
-        duration+=(int64_t)sample_duration*sample_count;
+        duration+=(int64_t)sample_duration*(uint64_t)sample_count;
         total_sample_count+=sample_count;
     }
 
     sc->stts_count = i;
 
-    sc->duration_for_fps  += duration;
-    sc->nb_frames_for_fps += total_sample_count;
+    if (duration > 0 &&
+        duration <= INT64_MAX - sc->duration_for_fps &&
+        total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+    ) {
+        sc->duration_for_fps  += duration;
+        sc->nb_frames_for_fps += total_sample_count;
+    }
 
     if (pb->eof_reached) {
         av_log(c->fc, AV_LOG_WARNING, "reached eof, corrupted STTS atom\n");
@@ -4798,8 +4803,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
         dts += sample_duration;
         offset += sample_size;
         sc->data_size += sample_size;
-        sc->duration_for_fps += sample_duration;
-        sc->nb_frames_for_fps ++;
+
+        if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+            1 <= INT64_MAX - sc->nb_frames_for_fps
+        ) {
+            sc->duration_for_fps += sample_duration;
+            sc->nb_frames_for_fps ++;
+        }
     }
     if (i < entries) {
         // EOF found before reading all entries.  Fix the hole this would

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to