@@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
}
if (!avctx->rc_initial_buffer_occupancy)
- avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+ avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3ll / 4;
if (avctx->ticks_per_frame && avctx->time_base.num &&
avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
@@ -259,7 +259,10 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
offset1 = pos + (s->buf_ptr - s->buffer);
if (offset == 0)
return offset1;
+ if (offset > INT64_MAX - offset1)
+ return AVERROR(EINVAL);
offset += offset1;
+
}
if (offset < 0)
return AVERROR(EINVAL);
@@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (atom.size < 0)
atom.size = INT64_MAX;
- while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+ while (total_size <= atom.size - 8 && !avio_feof(pb)) {
int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
a.size = atom.size;
a.type=0;
Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka <vitalybuka@google.com> --- libavcodec/utils.c | 2 +- libavformat/aviobuf.c | 3 +++ libavformat/mov.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-)