[FFmpeg-devel] [PATCH 2/2] avformat/mov: Fix integer overflow in mov_get_stsc_samples()

Matt Wolenetz wolenetz at google.com
Wed Mar 7 20:14:09 EET 2018 

Friendly ping. I'd like to not have to land this in Chromium before
upstream ffmpeg, but I may need to soon.

On Tue, Mar 6, 2018 at 6:43 AM, Michael Niedermayer <michael at niedermayer.cc>
wrote:

> Fixes: runtime error: signed integer overflow: 5 * -2147483647 cannot be
> represented in type 'int'
> Fixes: Chromium bug 817338
> Reviewed-by: Matt Wolenetz <wolenetz at google.com>
> Reported-by: Matt Wolenetz <wolenetz at google.com>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/mov.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 95b9cd3f8b..7002a82787 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -2645,7 +2645,7 @@ static inline int mov_stsc_index_valid(unsigned int
> index, unsigned int count)
>  }
>
>  /* Compute the samples value for the stsc entry at the given index. */
> -static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned
> int index)
> +static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc,
> unsigned int index)
>  {
>      int chunk_count;
>
> @@ -2654,7 +2654,7 @@ static inline int mov_get_stsc_samples(MOVStreamContext
> *sc, unsigned int index)
>      else
>          chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1);
>
> -    return sc->stsc_data[index].count * chunk_count;
> +    return sc->stsc_data[index].count * (int64_t)chunk_count;
>  }
>
>  static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> @@ -7189,12 +7189,13 @@ static int mov_seek_stream(AVFormatContext *s,
> AVStream *st, int64_t timestamp,
>      /* adjust stsd index */
>      time_sample = 0;
>      for (i = 0; i < sc->stsc_count; i++) {
> -        int next = time_sample + mov_get_stsc_samples(sc, i);
> +        int64_t next = time_sample + mov_get_stsc_samples(sc, i);
>          if (next > sc->current_sample) {
>              sc->stsc_index = i;
>              sc->stsc_sample = sc->current_sample - time_sample;
>              break;
>          }
> +        av_assert0(next == (int)next);
>          time_sample = next;
>      }
>
> --
> 2.16.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

More information about the ffmpeg-devel mailing list