From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 4CE2C483EB
	for <ffmpegdev@gitmailbox.com>; Wed, 29 Jan 2025 00:24:20 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 128BB68BB35;
	Wed, 29 Jan 2025 02:24:17 +0200 (EET)
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com
 [209.85.214.173])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 85BA068B6BB
 for <ffmpeg-devel@ffmpeg.org>; Wed, 29 Jan 2025 02:24:10 +0200 (EET)
Received: by mail-pl1-f173.google.com with SMTP id
 d9443c01a7336-216634dd574so75903685ad.2
 for <ffmpeg-devel@ffmpeg.org>; Tue, 28 Jan 2025 16:24:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1738110247; x=1738715047; darn=ffmpeg.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=+7WPHi+5c4VyzmlnlmIkgc0Pv4QFvZFApGFqdwdiJmU=;
 b=hv6NxDH1qC05KgrWmQJMZeWkMSZ5o/MD5MI1hMUnLN/RGpvI+6drAC2jB3aNIc3Szs
 /CXbcXZ6peVwgKhQN3R0fQtxviu7DlJumjtpeAT5cP7RVW67xuMK9Ufd7xkncn3vQUAE
 iqBRat6J7r4UhlMRS2bu5pP3+IWxfzcHQcDFlFN++USo0bzSti+HHAfX6MqtQehqtOlJ
 4EiksUsjBeYhtznXQJDEZxBfacKO6R/nfWZAShV2KjnMYK/rMsnXYUeSKzIyIjQEC1lJ
 I6L3CGjf/WMJRDQvntJiQSosU3q7EaW36ne8ek9+hpFIbW00STxErwmnjtf27/Bnibed
 00jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738110247; x=1738715047;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=+7WPHi+5c4VyzmlnlmIkgc0Pv4QFvZFApGFqdwdiJmU=;
 b=RpKKOD3JA3aJzjVaHHlt4+zpZxiRi4zQAHA+tXwUEkjwIgb1a6vE5Drb+Cxhf/JMch
 5RsUw6NESoyNVdctP7/KmYLeBqjvWnCvL0yMvUwg4kIPNWeUPe+Qko1QAQM5B+RcFk3G
 zl4+JWjODOQjTOJX48gWwrm9y7iJmUy0ewBIyTzRf6ZcQznep+MDtPTwlErWwNjuWOtQ
 6FVc4OZpGKwPAsVfaRmTJLr3hu29Vfv1Jz624J9+QqF1Ei4O5iyXZnEOJMgP1EBkgnEA
 TnlakKYxg1TIutbKJqRoOMrRY8EogMmJCIr3QN3HHH7dRoSON7fpPccw29j4nP5ga97t
 fcFw==
X-Gm-Message-State: AOJu0YwRJ6aGpW81TSnatqOAS9Oo28/b6Kl8Mt4jWGBfC+asgE3MnlLC
 JE3USSdoYm9s1KP/x8H7ffxxtOZ4qG6K9UmOkafDu6gGeomSko4doRSxlEhz
X-Gm-Gg: ASbGncu6d9A7/siOiCuJ6iSR8NqVIvK0ueEF/xOkizA/vLlIKMjcQQ/hQ2CrdHPLIWB
 6G87m98OkfMU6pbcTDlVQ5WO2IBT1wigo86IGob3ppbZ4scjfZTCuoi4h3Xp614Vt0AwoatI+nF
 sEFMr/5399heU7LqHG+NwuPVxI4GRsE4/Yx+UlErineDqA28C3YuZRHkVEUg18GxCb1r34H/ZSG
 kDRhntMHmcbTsHsLwB8jWRXTlBynorjCQWHHpRxln2gDhxn6tU/yRMguks2nRtpYCwrHit1jlKt
 HapsfcrLo6mGWau7c1Z1bIVSXbQ1aXw=
X-Google-Smtp-Source: AGHT+IHI1W7qnKEWkcULmUMAUuB75S2wHOmLEL2xLKa8HwroOejdEmwKxZ5yrIfNPd7kwUv9Ri1M9Q==
X-Received: by 2002:a17:903:23c5:b0:216:30f9:93d4 with SMTP id
 d9443c01a7336-21dd7c55e5cmr7929565ad.8.1738110247368; 
 Tue, 28 Jan 2025 16:24:07 -0800 (PST)
Received: from localhost.localdomain ([2800:2121:b040:c:f8c4:754f:745c:b9b7])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-21da41415desm87280375ad.143.2025.01.28.16.24.06
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 28 Jan 2025 16:24:06 -0800 (PST)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 28 Jan 2025 21:23:37 -0300
Message-ID: <20250129002337.11605-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.48.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avformat/mov: fix overflow in drift
 timestamp calculation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250129002337.11605-1-jamrial@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Fixes: signed integer overflow: 7803923888585309955 - -3407677434275325337 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 377736723/clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5052449500889088

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index c016ce8e41..2c8be51063 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3541,7 +3541,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         current_dts += sc->stts_data[i].duration * (uint64_t)sample_count;
 
         if (current_dts > corrected_dts) {
-            int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1);
+            int64_t drift = av_sat_sub64(current_dts, corrected_dts) / FFMAX(sample_count, 1);
             uint32_t correction = (sc->stts_data[i].duration > drift) ? drift : sc->stts_data[i].duration - 1;
             current_dts -= correction * (uint64_t)sample_count;
             sc->stts_data[i].duration -= correction;
-- 
2.48.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".