[FFmpeg-devel] [PATCHv2] avformat/mov: fix integer overflow

Ganesh Ajjanagadde gajjanag at mit.edu
Wed Oct 14 01:49:12 CEST 2015


On Tue, Oct 13, 2015 at 1:49 PM, Michael Niedermayer
<michael at niedermayer.cc> wrote:
> On Tue, Oct 13, 2015 at 12:26:24PM -0400, Ganesh Ajjanagadde wrote:
>> Partially fixes Ticket 4727.
>>
>> -duration is not a safe expression, since duration can be INT_MIN.
>> One might ask how it can become INT_MIN.
>> Although it is true that line 2574 is no longer reached with INT_MIN due
>> to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
>> integer overflow issue), mov_update_dts_shift is called on line 3549 as
>> well, right after a read of untrusted data.
>> One can do the fix locally there, but that function is already a huge
>> mess. Changing mov_update_dts_shift is likely better.
>>
>> This changes duration to INT_MIN + 1 in such cases. This should not make any
>> practical difference since such streams are anyway fuzzer files.
>>
>> Tested with FATE.
>>
>> Signed-off-by: Ganesh Ajjanagadde <gajjanagadde at gmail.com>
>> ---
>>  libavformat/mov.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>
> LGTM
>
> thx

pushed and updated ticket, thanks.

>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Many things microsoft did are stupid, but not doing something just because
> microsoft did it is even more stupid. If everything ms did were stupid they
> would be bankrupt already.
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>


More information about the ffmpeg-devel mailing list