avformat/mov: fix integer overflow

Partially fixes Ticket 4727.

-duration is not a safe expression, since duration can be INT_MIN.
One might ask how it can become INT_MIN.
Although it is true that line 2574 is no longer reached with INT_MIN due
to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
integer overflow issue), mov_update_dts_shift is called on line 3549 as
well, right after a read of untrusted data.
One can do the fix locally there, but that function is already a huge
mess. Changing mov_update_dts_shift is likely better.

This changes duration to INT_MIN + 1 in such cases. This should not make any
practical difference since such streams are anyway fuzzer files.

Tested with FATE.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4c073a3cda..7c90d40f20 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2521,6 +2521,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 static void mov_update_dts_shift(MOVStreamContext *sc, int duration)
 {
     if (duration < 0) {
+        if (duration == INT_MIN) {
+            av_log(NULL, AV_LOG_WARNING, "mov_update_dts_shift(): dts_shift set to %d\n", INT_MAX);
+            duration++;
+        }
         sc->dts_shift = FFMAX(sc->dts_shift, -duration);
     }
 }