[FFmpeg-cvslog] avformat/mov: fix integer overflow

[Ganesh Ajjanagadde]

ffmpeg | branch: master | Ganesh Ajjanagadde <gajjanagadde at gmail.com> | Sat Oct 10 13:39:28 2015 -0400| [d59bfcd11229300182c672ca734568919a85f773] | committer: Ganesh Ajjanagadde

avformat/mov: fix integer overflow

Partially fixes Ticket 4727.

-duration is not a safe expression, since duration can be INT_MIN.
One might ask how it can become INT_MIN.
Although it is true that line 2574 is no longer reached with INT_MIN due
to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
integer overflow issue), mov_update_dts_shift is called on line 3549 as
well, right after a read of untrusted data.
One can do the fix locally there, but that function is already a huge
mess. Changing mov_update_dts_shift is likely better.

This changes duration to INT_MIN + 1 in such cases. This should not make any
practical difference since such streams are anyway fuzzer files.

Tested with FATE.

Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d59bfcd11229300182c672ca734568919a85f773
---

 libavformat/mov.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4c073a3..7c90d40 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2521,6 +2521,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 static void mov_update_dts_shift(MOVStreamContext *sc, int duration)
 {
     if (duration < 0) {
+        if (duration == INT_MIN) {
+            av_log(NULL, AV_LOG_WARNING, "mov_update_dts_shift(): dts_shift set to %d\n", INT_MAX);
+            duration++;
+        }
         sc->dts_shift = FFMAX(sc->dts_shift, -duration);
     }
 }