[FFmpeg-devel] [PATCH 1/3] avformat/avidec: Fix integer overflow in cum_len check
Michael Niedermayer
michael at niedermayer.cc
Fri Mar 9 20:20:10 EET 2018
On Fri, Mar 09, 2018 at 11:03:33AM +0100, Tomas Härdin wrote:
> On 2018-03-09 02:37, Michael Niedermayer wrote:
> >Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long'
> >Fixes: Chromium bug 791237
> >
> >Reported-by: Matt Wolenetz <wolenetz at google.com>
> >Reviewed-by: Matt Wolenetz <wolenetz at google.com>
> >Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >---
> > libavformat/avidec.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >diff --git a/libavformat/avidec.c b/libavformat/avidec.c
> >index 3ff515d492..bafe1dc8da 100644
> >--- a/libavformat/avidec.c
> >+++ b/libavformat/avidec.c
> >@@ -670,7 +670,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
> > st->start_time = 0;
> > avio_rl32(pb); /* buffer size */
> > avio_rl32(pb); /* quality */
> >- if (ast->cum_len*ast->scale/ast->rate > 3600) {
> >+ if (ast->cum_len > 3600LL * ast->rate / ast->scale) {
> > av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n");
> > ast->cum_len = 0;
> > }
>
> Isn't there an AVRational compare function for stuff like this?
AVRational is signed 32/32 bit, cum_len is 64 bit initialized
by 32bit unsigned. teh others are 32bit unsigned.
So this likely would not fit very well in AVRational based functions
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
You can kill me, but you cannot change the truth.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180309/6d414c7b/attachment.sig>
More information about the ffmpeg-devel
mailing list