On 11/29/2024 11:20 PM, Michael Niedermayer wrote:
This fix doesnt feel optimal, better fix is welcome
Would you be ok with the C23 stdckdint.h compat header patch i sent two months ago being committed and used for this kind of overflow? I ask because the only con from using it is that backports to existing branches will either require said header also being included in them, or a different fix being applied.
Fixes: signed integer overflow: -9223091047224049440 + -281474976645120 cannot be represented in type 'long long' Fixes: 376128123/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4533016505942016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3cfcade4d82..f08834417df 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3533,7 +3533,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Too large sample offset %u in stts entry %u with count %u in st:%d. Clipping to 1.\n", sample_duration, i, sample_count, st->index); sc->stts_data[i].duration = 1; - corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; + corrected_dts += (delta_magnitude < 0 ? (uint64_t)delta_magnitude : 1) * sample_count; } else { corrected_dts += sample_duration * (uint64_t)sample_count; }
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
