From patchwork Sun Aug 20 18:56:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Buka X-Patchwork-Id: 4761 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.46.211 with SMTP id u202csp3230611vsu; Sun, 20 Aug 2017 11:57:04 -0700 (PDT) X-Received: by 10.28.23.11 with SMTP id 11mr4516835wmx.125.1503255424269; Sun, 20 Aug 2017 11:57:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503255424; cv=none; d=google.com; s=arc-20160816; b=RQ6W6s8whf8nRkppL9j6NqnOe7qQc1KsogkgAD9DL3d7LneiuRzDecQItFC+kez/Tc BfyWhrldUK8UqJIMiuqovzIbg17OkmA5vr/YVvHOgf///TYl/YQav3wO+gGz4Fyma9lJ jYDgCffk7pr9LOAOD9wBeHs3ZiFkyLemB0NtbKANIiSbW8cALfhuItdag+auygoY8oUG ZAqF6UFqpzYbxyFO8JYNNzDCAKLBEYoZU3/RBmBM2hcXZlwjERiX99wIaoD86dVFZKb8 3nwdbNLLt/Lye+fs/lIMP388ESZ+VsbhfkedDC1NvTfLT+Pe0sJahvDnO4tsamY+S64f YOFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=mBEY5bG7HCPOeyd+jOXdehb8GnuuUXK4hfiqnGq1liY=; b=Ss7KRdPaG7iFfXMT9vazugAQ8fGgWTL2/8qeKNXAYxo5t6EEPYYdo3OZavqv0kgelm h5BV5nArslFs4dVd+8GEMhK8ZV/SoEry689mCpptEPFkBHarB4hZjOa9p3dPqZHX9sVd vJHVuu1h2479v5pL3svy0z1HHpaIzMGcPWybHmD2bxJvaZyDG4HxxVHhiUYlbwif9qYx QAKD0GDd1wxtL+Tlvic0/ijd2i0pCbrPFrtTz6rMsOuMyBwvxyimSYNXA/Ni8SLrnWb8 5YjmhuYJmVq0U9MKlrswi2yn2LmG4fRAH8P8DofxmiF05a3d1w9S2bXvknbqUpBaqfIS 75CQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=SvazGwc4; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id x128si4633695wmg.73.2017.08.20.11.57.03; Sun, 20 Aug 2017 11:57:04 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=SvazGwc4; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 209CE689AA9; Sun, 20 Aug 2017 21:56:55 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pg0-f43.google.com (mail-pg0-f43.google.com [74.125.83.43]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C4516680C07 for ; Sun, 20 Aug 2017 21:56:48 +0300 (EEST) Received: by mail-pg0-f43.google.com with SMTP id i12so86928281pgr.3 for ; Sun, 20 Aug 2017 11:56:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=deiXT0K5/CW+pzP9Ilmq3obyG0b67XyGtCOzzAXDXpU=; b=SvazGwc4R+XzSqoZfzRFQdgNY5f0aStn0Lt+vEU1VYj1DB2uF3D6iqIVXOlYGdX6VX 6z5+5qfgmSSbqVtTeKc30ZDuHD6CpLxF1W1BrK5oeUq3+Fruh/Z9PhO+xJG5w6VfGYZF Xxd7XhZXj5aCvBaBUmg1z6ibfzlSzWaI0aQNdwnH1qcYN5tEDFbxxfmbQ+w2jlQeZFb8 Wi5Ue2O29bAtpYNo4P3VvN8kRzODL4rR4OH8qpY+a1v3tzdBu/mWrGW2SgCrNeCF54Kw EHQx8F1XEj46moOfRi43Vt21oXN4a5fuiCcJQ7FOjv27AB/iH2/FNbiXhfRWsyzr+tqJ pevg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=deiXT0K5/CW+pzP9Ilmq3obyG0b67XyGtCOzzAXDXpU=; b=CDIdtWsNOQ3AmHJiKQkc5X4TLVJEm57Cm7fw7CoXo4txwVZmfFKTcYbg7ij1od55s1 TtiC+nnri/KFO3DAYDUi1KvGNe0NmzR9/QPNsTQh8hZtyc2ms5PNn/CQ3fdwWy2QHUes RghWwcjBgw+qy7pOl/yNWFGozia1G/gNHxouzuPXcJ9MLovNYjEPgS3pYl4FDFEItfL/ yME1dM7EuAY/mk6MHzWxLt3CaQsSJWcQX/XUWzKRhhe6PLmLNpE357ec3enuDQCxDjq9 j9ZQPPwg4LnlFG9K4ruokfPmZ+MIcLlAcDn2RlqTNBKBY73GWgEjKioWNkfyNDJB6XIC XISw== X-Gm-Message-State: AHYfb5h599AzJgK8opjAHJWtp/nXfinKhgNDnPaHuVx33P78czxUz1Jj ziRr9Fea2mhDgVMZRewyvA== X-Received: by 10.99.123.79 with SMTP id k15mr2131111pgn.277.1503255413429; Sun, 20 Aug 2017 11:56:53 -0700 (PDT) Received: from vitalybuka3.svl.corp.google.com ([2620:0:100e:401:1e30:94c5:4940:b41c]) by smtp.gmail.com with ESMTPSA id 17sm21297464pfp.157.2017.08.20.11.56.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Aug 2017 11:56:52 -0700 (PDT) From: Vitaly Buka To: ffmpeg-devel@ffmpeg.org Date: Sun, 20 Aug 2017 11:56:47 -0700 Message-Id: <20170820185647.42927-1-vitalybuka@google.com> X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog In-Reply-To: <48157434-a7f0-e126-cf74-6c16039f5f91@gmail.com> References: <48157434-a7f0-e126-cf74-6c16039f5f91@gmail.com> Subject: [FFmpeg-devel] [PATCH] Fix signed integer overflows X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Vitaly Buka MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka --- libavcodec/utils.c | 2 +- libavformat/aviobuf.c | 2 ++ libavformat/mov.c | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1336e921c9..1b8ad1d200 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -971,7 +971,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 7f4e740a33..ec21fc7d38 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -259,6 +259,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) diff --git a/libavformat/mov.c b/libavformat/mov.c index 522ce60c2d..a14c9f182b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5572,7 +5572,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0;