From patchwork Wed Jan 29 00:52:16 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dale Curtis <dalecurtis@chromium.org>
X-Patchwork-Id: 17607
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 892034489D7
	for <patchwork@ffaux-bg.ffmpeg.org>; Wed, 29 Jan 2020 03:00:22 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6BC8368B091;
	Wed, 29 Jan 2020 03:00:22 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com
 [209.85.128.67])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 12EC568AC51
 for <ffmpeg-devel@ffmpeg.org>; Wed, 29 Jan 2020 03:00:16 +0200 (EET)
Received: by mail-wm1-f67.google.com with SMTP id a5so4491090wmb.0
 for <ffmpeg-devel@ffmpeg.org>; Tue, 28 Jan 2020 17:00:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
 s=google;
 h=mime-version:from:date:message-id:subject:to;
 bh=Eoj5fEbFRw7W2RarqPAzwIrWwoPTbjrPpCwrLsVJKe8=;
 b=FgDBCvsd2RBwLn1n5QyewCGflQfFgt65ra4MYIdBnaAZZA+VVnzjneQNY0ibSmMWEG
 EumLXkW5wm6TFeVKgZlIAIg4jAcz4uWUoKFCa0LAAcakKzX1Dz2F1A9WZtsgLCH4i3KK
 gOkmmuugZyAj2vQ33S1H8JeFSOf4zTBs0yQiM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=Eoj5fEbFRw7W2RarqPAzwIrWwoPTbjrPpCwrLsVJKe8=;
 b=QATzyd/uRTHRM2A/WqaCjF3bfOcCPmhje1LKjlAi20op7/HAF/tLA2zocNOdECLqqO
 rT2ydEnsV9yXY39kTihAivgDYUHaigbqDkOTAdj/H3UBHfugeOB5B0Iy8UUI9gUiQjOn
 F1w1oD+BJGr0BwJViMIWvfqEDzcv8CQ1ia119oNlHz66bmzr6EWkIX+v6TZUvTzd2W6Y
 DRwLJ383SaOvs8edCVFhTEYscOmTkjVew37jgQD6CMcL18lp+qhWTJdLcAEhWmUwdTWg
 HPHEDhjc68Voi7BS4G8u+CsJxyDRW/BveCJeQBGQvHo7wh1unnkQWp0ZtaHlm7b/Ctpv
 3g7Q==
X-Gm-Message-State: APjAAAXOdjsrEtHLmFTnoc/o0Hltnw/NYOABKqcZHKJI/1Tw7QgOH4Gs
 2kIVNA7AFNf6L7hXsEg+8CaOK4r9GOhD9HX09mGjERHzEi4=
X-Google-Smtp-Source: 
 APXvYqxziRU1LR4+aDrYuffROUHJzVGhaUN/NQ3T4GSallowMImGKYeeMsoFg8oOGrMNp8TGJG4eS7KdLwFjHr23wxU=
X-Received: by 2002:a05:600c:242:: with SMTP id 2mr7571920wmj.2.1580259148126;
 Tue, 28 Jan 2020 16:52:28 -0800 (PST)
MIME-Version: 1.0
From: Dale Curtis <dalecurtis@chromium.org>
Date: Tue, 28 Jan 2020 16:52:16 -0800
Message-ID: 
 <CAPUDrwf5yeow+RhPVpZzWsiOj8HYLW0Ws7wbUfTfqpM6FBSYgQ@mail.gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
Subject: [FFmpeg-devel] Fix undefined behavior in
	ff_configure_buffers_for_index()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of
e2_pts - e1_pts will overflow an int64_t. So instead check
for overflow and default to |time_tolerance| if the value
is too large for an int64_t.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>

From 412751f4747faf34e3dba088dc55290783eb6bd5 Mon Sep 17 00:00:00 2001
From: Dale Curtis <dalecurtis@chromium.org>
Date: Tue, 28 Jan 2020 16:49:14 -0800
Subject: [PATCH] Fix undefined behavior in ff_configure_buffers_for_index()

When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of
e2_pts - e1_pts will overflow an int64_t. So instead check
for overflow and default to |time_tolerance| if the value
is too large for an int64_t.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
---
 libavformat/utils.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index e22ca7cab8..d6197358c9 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2135,7 +2135,13 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance)
                 for (; i2 < st2->nb_index_entries; i2++) {
                     AVIndexEntry *e2 = &st2->index_entries[i2];
                     int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q);
-                    if (e2_pts - e1_pts < time_tolerance)
+                    int64_t delta = e1_pts < 1 ? INT64_MAX + e1_pts >= e2_pts
+                                                     ? e2_pts - e1_pts
+                                                     : time_tolerance
+                                               : INT64_MIN + e1_pts <= e2_pts
+                                                     ? e2_pts - e1_pts
+                                                     : time_tolerance;
+                    if (delta < time_tolerance)
                         continue;
                     pos_delta = FFMAX(pos_delta, e1->pos - e2->pos);
                     break;
-- 
2.25.0.341.g760bfbb309-goog