diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2018-03-09 16:43:29 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-10-23 01:44:40 +0200 |
commit | 30d40580c4e0a42eba5e79a29fbad5ae09a78948 (patch) | |
tree | b059607410418b21840f283781017df94bf2e2df | |
parent | ad7c57f9db506cc0c6c3b8e36a14d8e00df0dcfe (diff) | |
download | ffmpeg-30d40580c4e0a42eba5e79a29fbad5ae09a78948.tar.gz |
avformat/mov: Fix integer overflows related to sample_duration
Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type
Fixes: Chromium bug 791349
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavformat/mov.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index d41778cbed..30ec2d20e3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2496,14 +2496,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; - duration+=(int64_t)sample_duration*sample_count; + duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; - sc->duration_for_fps += duration; - sc->nb_frames_for_fps += total_sample_count; + if (duration > 0 && + duration <= INT64_MAX - sc->duration_for_fps && + total_sample_count <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += duration; + sc->nb_frames_for_fps += total_sample_count; + } if (pb->eof_reached) return AVERROR_EOF; @@ -3649,8 +3654,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; - sc->duration_for_fps += sample_duration; - sc->nb_frames_for_fps ++; + + if (sample_duration <= INT64_MAX - sc->duration_for_fps && + 1 <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += sample_duration; + sc->nb_frames_for_fps ++; + } } if (pb->eof_reached) |