On Sat, Oct 10, 2015 at 01:51:10PM -0400, Ganesh Ajjanagadde wrote: > Partially fixes Ticket 4727. > > -duration is not a safe expression, since duration can be INT_MIN. > One might ask how it can become INT_MIN. > Although it is true that line 2574 is no longer reached with INT_MIN due > to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another > integer overflow issue), mov_update_dts_shift is called on line 3549 as > well, right after a read of untrusted data. > One can do the fix locally there, but that function is already a huge > mess. Changing mov_update_dts_shift is likely better. > > This changes duration to INT_MIN + 1 in such cases. This should not make any > practical difference since such streams are anyway fuzzer files. > > Tested with FATE. > > Signed-off-by: Ganesh Ajjanagadde <[email protected]> > --- > libavformat/mov.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 4c073a3..87b46cf 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -2521,6 +2521,8 @@ static int mov_read_stts(MOVContext *c, AVIOContext > *pb, MOVAtom atom) > static void mov_update_dts_shift(MOVStreamContext *sc, int duration) > { > if (duration < 0) { > + if (duration == INT_MIN) > + duration++; > sc->dts_shift = FFMAX(sc->dts_shift, -duration);
should be ok though i think duration == INT_MIN should maybe be treated as error prior to mov_update_dts_shift [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB What does censorship reveal? It reveals fear. -- Julian Assange
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
