On Sat, Oct 10, 2015 at 1:51 PM, Ganesh Ajjanagadde
<gajjanaga...@gmail.com> wrote:
> Partially fixes Ticket 4727.
>
> -duration is not a safe expression, since duration can be INT_MIN.
> One might ask how it can become INT_MIN.
> Although it is true that line 2574 is no longer reached with INT_MIN due
> to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
> integer overflow issue), mov_update_dts_shift is called on line 3549 as
> well, right after a read of untrusted data.
> One can do the fix locally there, but that function is already a huge
> mess. Changing mov_update_dts_shift is likely better.
>
> This changes duration to INT_MIN + 1 in such cases. This should not make any
> practical difference since such streams are anyway fuzzer files.
>
> Tested with FATE.
>
> Signed-off-by: Ganesh Ajjanagadde <gajjanaga...@gmail.com>
> ---
> libavformat/mov.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 4c073a3..87b46cf 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -2521,6 +2521,8 @@ static int mov_read_stts(MOVContext *c, AVIOContext
> *pb, MOVAtom atom)
> static void mov_update_dts_shift(MOVStreamContext *sc, int duration)
> {
> if (duration < 0) {
> + if (duration == INT_MIN)
> + duration++;
> sc->dts_shift = FFMAX(sc->dts_shift, -duration);
> }
> }
> --
> 2.6.1
>
ping
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
