From patchwork Fri Apr 19 21:59:28 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Diego Felix de Souza via ffmpeg-devel
 <ffmpeg-devel@ffmpeg.org>
X-Patchwork-Id: 12821
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 75E42447D13
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Sat, 20 Apr 2019 00:59:28 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5578F68A9BB;
	Sat, 20 Apr 2019 00:59:28 +0300 (EEST)
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Message-ID: <mailman.727.1555711168.1132.ffmpeg-devel@ffmpeg.org>
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
X-Patchwork-Original-From: Dan Sanders via ffmpeg-devel
 <ffmpeg-devel@ffmpeg.org>
From: Diego Felix de Souza via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Precedence: list
Cc: Dan Sanders <sandersd@google.com>
X-Mailman-Version: 2.1.20
X-BeenThere: ffmpeg-devel@ffmpeg.org
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
Subject: [FFmpeg-devel] [PATCH] libavformat/mov: limit nb_frames_for_fps to
	INT_MAX
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Date: Sat, 20 Apr 2019 00:59:28 +0300 (EEST)

Fixes: UBSan runtime error
Found-by: Clusterfuzz
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

         sc->nb_frames_for_fps += total_sample_count;

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d5ce077e63..7e7de5962d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2940,7 +2940,7 @@ static int mov_read_stts(MOVContext *c,
AVIOContext *pb, MOVAtom atom)

     if (duration > 0 &&
         duration <= INT64_MAX - sc->duration_for_fps &&
-        total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+        total_sample_count <= INT_MAX - sc->nb_frames_for_fps
     ) {
         sc->duration_for_fps  += duration;