diff mbox

[FFmpeg-devel] libavformat/mov: limit nb_frames_for_fps to INT_MAX

Message ID CAOYzH=KbmAh60jAusjKohxUN1XmNgMoQ=nAocLLt=Qg4PDT3WA@mail.gmail.com
State New
Headers show

Commit Message

Dan Sanders April 22, 2019, 6:05 p.m. UTC 
It's this or add overflow detection in mov_read_header().
---
 libavformat/mov.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

         sc->nb_frames_for_fps += total_sample_count;
@@ -4897,7 +4897,7 @@ static int mov_read_trun(MOVContext *c,
AVIOContext *pb, MOVAtom atom)
         sc->data_size += sample_size;

         if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
-            1 <= INT64_MAX - sc->nb_frames_for_fps
+            1 <= INT_MAX - sc->nb_frames_for_fps
         ) {
             sc->duration_for_fps += sample_duration;
             sc->nb_frames_for_fps ++;

Comments

Michael Niedermayer April 23, 2019, 5:17 p.m. UTC | #1 
On Mon, Apr 22, 2019 at 11:05:00AM -0700, Dan Sanders wrote:
> It's this or add overflow detection in mov_read_header().
> ---
>  libavformat/mov.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

thanks

[...]
diff mbox

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d5ce077e63..247a65ed11 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2940,7 +2940,7 @@  static int mov_read_stts(MOVContext *c,
AVIOContext *pb, MOVAtom atom)

     if (duration > 0 &&
         duration <= INT64_MAX - sc->duration_for_fps &&
-        total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+        total_sample_count <= INT_MAX - sc->nb_frames_for_fps
     ) {
         sc->duration_for_fps  += duration;