On 2021-12-21 01:27 am, Andreas Rheinhardt wrote:
Gyan Doshi:
Avoids overreading the box and ingesting absurd values into stts_data
---
Fixes prolonged demuxing for fuzzer-generated files in the loop added in
patch for max_stts_delta
libavformat/mov.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2aed6e80ef..8d88119b29 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2935,6 +2935,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
avio_rb24(pb); /* flags */
entries = avio_rb32(pb);
+ if (atom.size < 8 + entries*8) {
This can overflow.
Can you illustrate?
atom.size is int64; entries is uint32.
And cppreference says,
"If the signed type can represent all values of the unsigned type, then
the operand with the unsigned type is implicitly converted to the signed
type. "
Gyan
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
