Re: [FFmpeg-devel] [PATCH 2/2] avformat/mov: Fix integer overflow in mov_get_stsc_samples()
On Wed, Mar 07, 2018 at 10:14:09AM -0800, Matt Wolenetz wrote: > Friendly ping. I'd like to not have to land this in Chromium before > upstream ffmpeg, but I may need to soon. will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB it is not once nor twice but times without number that the same ideas make their appearance in the world. -- Aristotle signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 2/2] avformat/mov: Fix integer overflow in mov_get_stsc_samples()
Friendly ping. I'd like to not have to land this in Chromium before upstream ffmpeg, but I may need to soon. On Tue, Mar 6, 2018 at 6:43 AM, Michael Niedermayerwrote: > Fixes: runtime error: signed integer overflow: 5 * -2147483647 cannot be > represented in type 'int' > Fixes: Chromium bug 817338 > Reviewed-by: Matt Wolenetz > Reported-by: Matt Wolenetz > Signed-off-by: Michael Niedermayer > --- > libavformat/mov.c | 7 --- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 95b9cd3f8b..7002a82787 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -2645,7 +2645,7 @@ static inline int mov_stsc_index_valid(unsigned int > index, unsigned int count) > } > > /* Compute the samples value for the stsc entry at the given index. */ > -static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned > int index) > +static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, > unsigned int index) > { > int chunk_count; > > @@ -2654,7 +2654,7 @@ static inline int mov_get_stsc_samples(MOVStreamContext > *sc, unsigned int index) > else > chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); > > -return sc->stsc_data[index].count * chunk_count; > +return sc->stsc_data[index].count * (int64_t)chunk_count; > } > > static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) > @@ -7189,12 +7189,13 @@ static int mov_seek_stream(AVFormatContext *s, > AVStream *st, int64_t timestamp, > /* adjust stsd index */ > time_sample = 0; > for (i = 0; i < sc->stsc_count; i++) { > -int next = time_sample + mov_get_stsc_samples(sc, i); > +int64_t next = time_sample + mov_get_stsc_samples(sc, i); > if (next > sc->current_sample) { > sc->stsc_index = i; > sc->stsc_sample = sc->current_sample - time_sample; > break; > } > +av_assert0(next == (int)next); > time_sample = next; > } > > -- > 2.16.2 > > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Re: [FFmpeg-devel] [PATCH 2/2] avformat/mov: Fix integer overflow in mov_get_stsc_samples()
Friendly ping. I'd like to not have to land this in Chromium before upstream ffmpeg, but I may need to soon. On Tue, Mar 6, 2018 at 6:43 AM, Michael Niedermayerwrote: > Fixes: runtime error: signed integer overflow: 5 * -2147483647 cannot be > represented in type 'int' > Fixes: Chromium bug 817338 > Reviewed-by: Matt Wolenetz > Reported-by: Matt Wolenetz > Signed-off-by: Michael Niedermayer > --- > libavformat/mov.c | 7 --- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index 95b9cd3f8b..7002a82787 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -2645,7 +2645,7 @@ static inline int mov_stsc_index_valid(unsigned int > index, unsigned int count) > } > > /* Compute the samples value for the stsc entry at the given index. */ > -static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned > int index) > +static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, > unsigned int index) > { > int chunk_count; > > @@ -2654,7 +2654,7 @@ static inline int mov_get_stsc_samples(MOVStreamContext > *sc, unsigned int index) > else > chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); > > -return sc->stsc_data[index].count * chunk_count; > +return sc->stsc_data[index].count * (int64_t)chunk_count; > } > > static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) > @@ -7189,12 +7189,13 @@ static int mov_seek_stream(AVFormatContext *s, > AVStream *st, int64_t timestamp, > /* adjust stsd index */ > time_sample = 0; > for (i = 0; i < sc->stsc_count; i++) { > -int next = time_sample + mov_get_stsc_samples(sc, i); > +int64_t next = time_sample + mov_get_stsc_samples(sc, i); > if (next > sc->current_sample) { > sc->stsc_index = i; > sc->stsc_sample = sc->current_sample - time_sample; > break; > } > +av_assert0(next == (int)next); > time_sample = next; > } > > -- > 2.16.2 > > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel