Partially fixes Ticket 4727.
-duration is not a safe expression, since duration can be INT_MIN.
One might ask how it can become INT_MIN.
Although it is true that line 2574 is no longer reached with INT_MIN due
to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
integer overflow issue), mov_update_dts_shift is called on line 3549 as
well, right after a read of untrusted data.
One can do the fix locally there, but that function is already a huge
mess. Changing mov_update_dts_shift is likely better.
This changes duration to INT_MIN + 1 in such cases. This should not make any
practical difference since such streams are anyway fuzzer files.
Tested with FATE.
Signed-off-by: Ganesh Ajjanagadde <gajjanaga...@gmail.com>
---
libavformat/mov.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4c073a3..87b46cf 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2521,6 +2521,8 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
static void mov_update_dts_shift(MOVStreamContext *sc, int duration)
{
if (duration < 0) {
+ if (duration == INT_MIN)
+ duration++;
sc->dts_shift = FFMAX(sc->dts_shift, -duration);
}
}
--
2.6.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
