| Message ID | mailman.727.1555711168.1132.ffmpeg-devel@ffmpeg.org |
|---|---|
| State | New |
| Headers | show |
On Sat, Apr 20, 2019 at 12:59:29AM +0300, Dan Sanders via ffmpeg-devel wrote: > Date: Fri, 19 Apr 2019 14:52:01 -0700 > From: Dan Sanders <sandersd@google.com> > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> > Subject: [PATCH] libavformat/mov: limit nb_frames_for_fps to INT_MAX > > Fixes: UBSan runtime error > Found-by: Clusterfuzz > --- > libavformat/mov.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index d5ce077e63..7e7de5962d 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -2940,7 +2940,7 @@ static int mov_read_stts(MOVContext *c, > AVIOContext *pb, MOVAtom atom) > > if (duration > 0 && > duration <= INT64_MAX - sc->duration_for_fps && > - total_sample_count <= INT64_MAX - sc->nb_frames_for_fps > + total_sample_count <= INT_MAX - sc->nb_frames_for_fps > ) { > sc->duration_for_fps += duration; > sc->nb_frames_for_fps += total_sample_count; There are 2 places that increase nb_frames_for_fps, the 2nd uses INT64_MAX too. I think both should be changed or the type should be changed thx [...]
diff --git a/libavformat/mov.c b/libavformat/mov.c index d5ce077e63..7e7de5962d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2940,7 +2940,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (duration > 0 && duration <= INT64_MAX - sc->duration_for_fps && - total_sample_count <= INT64_MAX - sc->nb_frames_for_fps + total_sample_count <= INT_MAX - sc->nb_frames_for_fps ) { sc->duration_for_fps += duration;
Fixes: UBSan runtime error Found-by: Clusterfuzz --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) sc->nb_frames_for_fps += total_sample_count;