From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 9B6CA40403
	for <ffmpegdev@gitmailbox.com>; Mon, 20 Dec 2021 20:36:38 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CF33F68AF51;
	Mon, 20 Dec 2021 22:36:36 +0200 (EET)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5647E68ADF6
 for <ffmpeg-devel@ffmpeg.org>; Mon, 20 Dec 2021 22:36:30 +0200 (EET)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4JHrwF4FXYzQk9Y
 for <ffmpeg-devel@ffmpeg.org>; Mon, 20 Dec 2021 21:36:29 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Message-ID: <045455db-b9f6-8bfd-5a98-f5af28c33263@gyani.pro>
Date: Tue, 21 Dec 2021 02:06:13 +0530
MIME-Version: 1.0
Content-Language: en-US
To: ffmpeg-devel@ffmpeg.org
References: <20211220195310.5633-1-ffmpeg@gyani.pro>
 <AM7PR03MB66606623BF616F384FC236B48F7B9@AM7PR03MB6660.eurprd03.prod.outlook.com>
From: Gyan Doshi <ffmpeg@gyani.pro>
In-Reply-To: <AM7PR03MB66606623BF616F384FC236B48F7B9@AM7PR03MB6660.eurprd03.prod.outlook.com>
Subject: Re: [FFmpeg-devel] [PATCH] avformat/mov: abort reading truncated
 stts
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/045455db-b9f6-8bfd-5a98-f5af28c33263@gyani.pro/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>



On 2021-12-21 01:27 am, Andreas Rheinhardt wrote:
> Gyan Doshi:
>> Avoids overreading the box and ingesting absurd values into stts_data
>> ---
>>
>> Fixes prolonged demuxing for fuzzer-generated files in the loop added in
>> patch for max_stts_delta
>>
>>   libavformat/mov.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 2aed6e80ef..8d88119b29 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -2935,6 +2935,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>       avio_rb24(pb); /* flags */
>>       entries = avio_rb32(pb);
>>   
>> +    if (atom.size < 8 + entries*8) {
> This can overflow.

Can you illustrate?

atom.size is int64; entries is uint32.

And cppreference says,

"If the signed type can represent all values of the unsigned type, then 
the operand with the unsigned type is implicitly converted to the signed 
type. "

Gyan
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".