From patchwork Sun Aug 20 18:55:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vitaly Buka <vitalybuka-at-google.com@ffmpeg.org>
X-Patchwork-Id: 4760
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.46.211 with SMTP id u202csp3229580vsu;
	Sun, 20 Aug 2017 11:55:40 -0700 (PDT)
X-Received: by 10.28.101.65 with SMTP id z62mr5996056wmb.136.1503255340625;
	Sun, 20 Aug 2017 11:55:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1503255340; cv=none;
	d=google.com; s=arc-20160816;
	b=bNEcQkobaRQ3e+S0sxRmmLJ0xnqt8GDGlPX+qcxTjNRRxktyu88+TeiXMLODbMjriv
	jB+Vpa7Iak/0Dolh1YujOcugFPFg6w5a++Suxuw92CdREYArBn/tasJ/ffZVbp4hVAOp
	JXvTzFsbzNISKs1+JEkIbCmI6Mk3wU2Zvaiqcqs+z2gqFUHvI3hDJTqs4jGccniZvmNm
	ZvsNlAD7hVYsejCSrxNgNz2Gx1tl+Q/QpMR0Ksb02JoWu5i7UMx1DnGEgTNXlydU5khR
	6JfgQx25MOn6f+fUZmQvvWAaMX+Kd6mTefYeo87u9CK4Dv9/DB08Ccj/aPOMOEohfMLS
	unxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:dkim-signature:delivered-to:arc-authentication-results;
	bh=mBEY5bG7HCPOeyd+jOXdehb8GnuuUXK4hfiqnGq1liY=;
	b=atx7his7Hd/gpkuExAH7+SjIbLGVSBokUYvMijhGoJV7QRkpKAaCZTtYUmwl7RbfKO
	0u1LouuKOHNPA/GGaxAefXusl5IAUxD8W2VU1LeY4SL6gPoXYGX7Jx7mYEz6sqG5kaL2
	b4ZUS8+w2QHt45jroChEds8ay/+q6k60bQOPO3hbkYd8Y+VtKTgaTKbONRIJyFAsAPoU
	gAS5xXvhhNRMCAzFFBKwjF1vDsSyNj1rYtp5UzrkHuyNSed9EzPUM0tmEEbjNfV9XVQd
	6JSKROApQvKdP9Vjo3nvTVWlWVWYMknLLFmUs3RMyqKgv3OG4gTa6OPQrt2SA5Z4HdYN
	ZPOg==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com
	header.s=20161025 header.b=BJj6OI3M;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id u138si4655598wmu.1.2017.08.20.11.55.40;
	Sun, 20 Aug 2017 11:55:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@google.com
	header.s=20161025 header.b=BJj6OI3M;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 951DB681865;
	Sun, 20 Aug 2017 21:55:30 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-pg0-f45.google.com (mail-pg0-f45.google.com
	[74.125.83.45])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 40135680624
	for <ffmpeg-devel@ffmpeg.org>; Sun, 20 Aug 2017 21:55:24 +0300 (EEST)
Received: by mail-pg0-f45.google.com with SMTP id m133so4661685pga.5
	for <ffmpeg-devel@ffmpeg.org>; Sun, 20 Aug 2017 11:55:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=deiXT0K5/CW+pzP9Ilmq3obyG0b67XyGtCOzzAXDXpU=;
	b=BJj6OI3MUMdI8/ANGXjBsTP+pg8dRHplnNW+x5jKd4Xly9tOsLMiu+fvANdBWmVn5e
	fGGrjTaMcCVRmL2H1F8U1+ezzkU8h2MlDMDP85TJdxZa7YGD4D+JUaFVKfUBQUug3yKD
	pvF8JFEWD9c/oqc87OxySDHha7KmEQIhzyzGtR3bS5fXtio6pd+iYz14Ti7zoBNEihq5
	L0iGvqemBf38y3eRnnxoAGl5Xv4qdhrFHp3GUwVZSh/1eZ5+XeMir//VGLfQT+gDa6/W
	+wh6ygdnRx7+ExEZk4a1SjyUtPDlMmTZpDTwY01Ri/QCSYsCOIop5zIC9rHKBrng+RuK
	ohfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=deiXT0K5/CW+pzP9Ilmq3obyG0b67XyGtCOzzAXDXpU=;
	b=EHKHgbKBufDhPMBwBM7m6EYyAxqy2kM241P3zbNhFIZHlYbB+Vbz/ooqjz9hWcn5fG
	y+ZrWl28VhX2t+jLA+0CCk+VrZmvahmfRKa39o2VQCUQNe5K+2Zyk3y8dM6PhEgMI4XL
	EIdd5L7vNTf8mzpsttSmdo7thfOJwPpNvAl4VmZd6yYQDPhGIjY9cZWTgILq4pgzVWv9
	zdJVrg4G0c1FHT2NtsXb1kapiQPof3bv3BiSW2EwjIq++SoHOj2mvOb4undaoR6icTcK
	9/Phih2WfqD8FCZdEc9yw66xO9Qvwd78TzS5BDHG3MramHn11KehL6cug6DFpQjrYCcc
	GLHw==
X-Gm-Message-State: AHYfb5i9WW96WT0zri3/24WzAVb+dLiNRl7ZdPD+CYDDGh2FI57r0WXh
	kXMJctkDD2MOSzdDhx6Btw==
X-Received: by 10.84.132.79 with SMTP id 73mr17105970ple.453.1503255328131;
	Sun, 20 Aug 2017 11:55:28 -0700 (PDT)
Received: from vitalybuka3.svl.corp.google.com
	([2620:0:100e:401:1e30:94c5:4940:b41c])
	by smtp.gmail.com with ESMTPSA id
	w82sm22085646pfa.39.2017.08.20.11.55.26
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 20 Aug 2017 11:55:27 -0700 (PDT)
From: Vitaly Buka <vitalybuka-at-google.com@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Date: Sun, 20 Aug 2017 11:55:21 -0700
Message-Id: <20170820185521.42816-1-vitalybuka@google.com>
X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog
In-Reply-To: <48157434-a7f0-e126-cf74-6c16039f5f91@gmail.com>
References: <48157434-a7f0-e126-cf74-6c16039f5f91@gmail.com>
Subject: [FFmpeg-devel] [PATCH] Fix signed integer overflows
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Vitaly Buka <vitalybuka@google.com>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
---
 libavcodec/utils.c    | 2 +-
 libavformat/aviobuf.c | 2 ++
 libavformat/mov.c     | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 1336e921c9..1b8ad1d200 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
         }
 
         if (!avctx->rc_initial_buffer_occupancy)
-            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+            avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4;
 
         if (avctx->ticks_per_frame && avctx->time_base.num &&
             avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 7f4e740a33..ec21fc7d38 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -259,6 +259,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
         offset1 = pos + (s->buf_ptr - s->buffer);
         if (offset == 0)
             return offset1;
+        if (offset > INT64_MAX - offset1)
+            return AVERROR(EINVAL);
         offset += offset1;
     }
     if (offset < 0)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 522ce60c2d..a14c9f182b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     if (atom.size < 0)
         atom.size = INT64_MAX;
-    while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+    while (total_size <= atom.size - 8 && !avio_feof(pb)) {
         int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
         a.size = atom.size;
         a.type=0;