[FFmpeg-devel] [PATCH] avformat/mov: fix potential unsigned underflow in loop condition

Mon Jan 13 23:17:48 EET 2025

if sc->tts_count is 0, this condition will wrap around to UINT_MAX and the
code will try to dereference a NULL pointer.

Fixes ticket #11417

Signed-off-by: James Almer <jamrial at gmail.com>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 405d61fdf5..50ecf6e2b2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5191,7 +5191,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         }
 
 #if FF_API_R_FRAME_RATE
-        for (int i = 1; sc->stts_count && i < sc->tts_count - 1; i++) {
+        for (int i = 1; sc->stts_count && i < (int64_t)sc->tts_count - 1; i++) {
             if (sc->tts_data[i].duration == sc->tts_data[0].duration)
                 continue;
             stts_constant = 0;
-- 
2.48.0

