[FFmpeg-devel] [PATCH] avformat/mov: fix potential unsigned underflow in loop condition
James Almer
jamrial at gmail.com
Mon Jan 13 23:44:10 EET 2025
On 1/13/2025 6:22 PM, Andreas Rheinhardt wrote:
> James Almer:
>> if sc->tts_count is 0, this condition will wrap around to UINT_MAX and the
>> code will try to dereference a NULL pointer.
>>
>> Fixes ticket #11417
>>
>> Signed-off-by: James Almer <jamrial at gmail.com>
>> ---
>> libavformat/mov.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 405d61fdf5..50ecf6e2b2 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -5191,7 +5191,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>> }
>>
>> #if FF_API_R_FRAME_RATE
>> - for (int i = 1; sc->stts_count && i < sc->tts_count - 1; i++) {
>> + for (int i = 1; sc->stts_count && i < (int64_t)sc->tts_count - 1; i++) {
>> if (sc->tts_data[i].duration == sc->tts_data[0].duration)
>> continue;
>> stts_constant = 0;
>
> Wouldn't i + 1 < sc->tts_count be a more readable alternative (that
> would also avoid a cast and 64bit arithmetic)?
Eh, I don't know if it's more readable for a casual reader. And this is
read_trak() which is read once per stream, so casting to int64_t is
hardly a problem. But sure, can change it.
>
> - Andreas
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250113/929eb242/attachment.sig>
More information about the ffmpeg-devel
mailing list