From patchwork Sun Aug 20 01:17:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Buka X-Patchwork-Id: 4758 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.46.211 with SMTP id u202csp2464577vsu; Sat, 19 Aug 2017 18:24:42 -0700 (PDT) X-Received: by 10.223.136.198 with SMTP id g6mr8888317wrg.280.1503192282214; Sat, 19 Aug 2017 18:24:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503192282; cv=none; d=google.com; s=arc-20160816; b=oN+xOFZ7XkpxhjM8ZPDodM6ekwA6jg+MkKFj7H4aJeMWJ25FuBiLrzE57TjaKWAg1I jv/ewpceJZGfNx8rUHTlmQWrAmkvufoI/XVPosLyy73ZXclJ6izcc87gi6AY3gDtK+1K AOEjghmqDgHRQtk3EAMBejPKrkdGDIyo6/5CneRLCWW2gaPfYh6Jsfwa8E5LRDzqOm6V QYs4VXG9tOKdDaw0UHxIaGmAwWhJn7Wbgk/bxEySpnGkucDjikLcWaW4WLIipa43NKN3 T49mDDmNHfzpkLuBh0eYnQbxTWjQ5u4sCqqbTiiZdTvYsWS1sA0ePt2IebEUfsvIaBcH mLOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=9jZJPhuHmfG1Wt0l650BzKNzqOmHbKDqDpFQeooFbic=; b=poDne8/LBx6N2nL8OBC7IRcbY7wdgid8ctKUi83wGHBk96pDMjRfnxdSW59A8oc8ln CM/nc4UdEWuQYcm9d8G79G9Wq31wdUa1mzNBWD6gzCpA5NqRhVEzs+TRzt6tHICeA3Mk fb2jjGDoD8+uRhEhTh82/KZBNAr2H0lxImAa9Y1kUaG6F3VRwfigZ1wERNMY3g9UCzVD 1WMqWCHX2WMOJ+VjVB51Fw6mNvisoepy6b1lZp/kO+mc6HU5VSMFuwhDnfEzhCVCByRv 9AQIuKckqOSDXLz4rTlJDiUqVgtm7Cx0odk56GNxG+j2+wQ3qrMIEvXuQMjkEBS8R8U7 k//g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=bC2IeKr6; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id c40si7129628wrc.426.2017.08.19.18.24.41; Sat, 19 Aug 2017 18:24:42 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=bC2IeKr6; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0DEE5689A49; Sun, 20 Aug 2017 04:24:33 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pg0-f48.google.com (mail-pg0-f48.google.com [74.125.83.48]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9EBCD6899E0 for ; Sun, 20 Aug 2017 04:24:26 +0300 (EEST) Received: by mail-pg0-f48.google.com with SMTP id i12so81758229pgr.3 for ; Sat, 19 Aug 2017 18:24:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9dDaaAM8kzpzFZir30vy5YiGmb0wtMXI9+RfOkc9Hc4=; b=bC2IeKr62Gx/P/T/MQRTMNz2ciauMEdyRzw4X/iknbbO5Vuz6tFN6MnJRbe6rJ3271 6cCYyO4L16ucenM6xoHFWQySXMt/QQr9sR3bJ0cAsqHMD07KdoYyLoGdAbf7jgAJGgkg hlm1wR+sdeQIP4OKdwBqboOaRaeNkZJbbCrDyj/3KeYCVMHonko95qdnALddX1kqT/V9 mUy+P+Fuom80wpNJVDmp0Gxj1xJshp+wfec1jx10Hv24RkmMVpIZ+twq5BpuraEf1X5d DUBeE3AArd6oS8tKaXhJsNgO8IpWKlZlF/QQWk76qTzm17e2ExXtT2r9t7pjw37vOJs9 31kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9dDaaAM8kzpzFZir30vy5YiGmb0wtMXI9+RfOkc9Hc4=; b=mDbO4Tc5EM1oyH3xfN/0kMQUJkVQ1H+yhJKJv2a3fjDQBTfezivdsDP4QwrEn3BxD8 zNc6Kd3aSoFYwTKO0PrJy34scxBTMgmgOiekte5zWbe+XcSLyfu9HKjkWiGvmFjBnogb pGbAi1jYieXCGzEcg05YB75P684t1rwpV1J8Pjib3fz1huPRtYfgl6XvAjq0JVE3k9In th0ntEJB4QdW2YzQe3+hc/Gpw7jLcmjHBsDXVdvsHwhV1eU9OSy6HAJsDZLJ3rPfR2Kf z5PN6HXUH33Q5UxHCqNEk/SqOLsxkpoEMsqDzh9X2c/elc+UuGObkLa9Vjgu8NQFwvYY 3vwg== X-Gm-Message-State: AHYfb5iYRuoG1hqmT9yRiLgmQ8G+5pqtKyJlbiEsZFV/w5rRUGX4DGTb yvMBGqKkAZtdmQqHHuK7mw== X-Received: by 10.99.38.65 with SMTP id m62mr12473063pgm.226.1503191859224; Sat, 19 Aug 2017 18:17:39 -0700 (PDT) Received: from vitalybuka3.svl.corp.google.com ([2620:0:100e:401:1e30:94c5:4940:b41c]) by smtp.gmail.com with ESMTPSA id n1sm18614465pfj.46.2017.08.19.18.17.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 19 Aug 2017 18:17:37 -0700 (PDT) From: Vitaly Buka To: ffmpeg-devel@ffmpeg.org Date: Sat, 19 Aug 2017 18:17:14 -0700 Message-Id: <20170820011714.25884-1-vitalybuka@google.com> X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog In-Reply-To: <20170819235022.GF7094@nb4> References: <20170819235022.GF7094@nb4> Subject: [FFmpeg-devel] [PATCH] Fix signed integer overflows X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Vitaly Buka MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka --- libavcodec/utils.c | 2 +- libavformat/aviobuf.c | 3 +++ libavformat/mov.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1336e921c9..024dc1f3e2 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3ll / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 7f4e740a33..b708f18d43 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -259,7 +259,10 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; + } if (offset < 0) return AVERROR(EINVAL); diff --git a/libavformat/mov.c b/libavformat/mov.c index 522ce60c2d..a14c9f182b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0;