aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-03-09 16:43:29 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2018-06-18 01:16:03 +0200
commit828044878484d211b171262f90d1b2e5169ce634 (patch)
treea82d164cba7fabafd1a6154b9536ad5cb36e6a0d
parent3fa6e594a0f2575ddb6b2183961fde42ab5ab37b (diff)
downloadffmpeg-828044878484d211b171262f90d1b2e5169ce634.tar.gz
avformat/mov: Fix integer overflows related to sample_duration
Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz <wolenetz@google.com> Reviewed-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavformat/mov.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f91a006639..25131449e7 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2682,14 +2682,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
&& total_sample_count > 100
&& sample_duration/10 > duration / total_sample_count)
sample_duration = duration / total_sample_count;
- duration+=(int64_t)sample_duration*sample_count;
+ duration+=(int64_t)sample_duration*(uint64_t)sample_count;
total_sample_count+=sample_count;
}
sc->stts_count = i;
- sc->duration_for_fps += duration;
- sc->nb_frames_for_fps += total_sample_count;
+ if (duration > 0 &&
+ duration <= INT64_MAX - sc->duration_for_fps &&
+ total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+ ) {
+ sc->duration_for_fps += duration;
+ sc->nb_frames_for_fps += total_sample_count;
+ }
if (pb->eof_reached)
return AVERROR_EOF;
@@ -4409,8 +4414,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
dts += sample_duration;
offset += sample_size;
sc->data_size += sample_size;
- sc->duration_for_fps += sample_duration;
- sc->nb_frames_for_fps ++;
+
+ if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+ 1 <= INT64_MAX - sc->nb_frames_for_fps
+ ) {
+ sc->duration_for_fps += sample_duration;
+ sc->nb_frames_for_fps ++;
+ }
}
if (pb->eof_reached)
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-18 22:55:06 +0000