Re: [FFmpeg-devel] [PATCHv2] avformat/mov: fix integer overflow

2015-10-13 Thread Ganesh Ajjanagadde
On Tue, Oct 13, 2015 at 1:49 PM, Michael Niedermayer
 wrote:
> On Tue, Oct 13, 2015 at 12:26:24PM -0400, Ganesh Ajjanagadde wrote:
>> Partially fixes Ticket 4727.
>>
>> -duration is not a safe expression, since duration can be INT_MIN.
>> One might ask how it can become INT_MIN.
>> Although it is true that line 2574 is no longer reached with INT_MIN due
>> to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
>> integer overflow issue), mov_update_dts_shift is called on line 3549 as
>> well, right after a read of untrusted data.
>> One can do the fix locally there, but that function is already a huge
>> mess. Changing mov_update_dts_shift is likely better.
>>
>> This changes duration to INT_MIN + 1 in such cases. This should not make any
>> practical difference since such streams are anyway fuzzer files.
>>
>> Tested with FATE.
>>
>> Signed-off-by: Ganesh Ajjanagadde 
>> ---
>>  libavformat/mov.c | 4 
>>  1 file changed, 4 insertions(+)
>
> LGTM
>
> thx

pushed and updated ticket, thanks.

>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Many things microsoft did are stupid, but not doing something just because
> microsoft did it is even more stupid. If everything ms did were stupid they
> would be bankrupt already.
>
> ___
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel


Re: [FFmpeg-devel] [PATCHv2] avformat/mov: fix integer overflow

2015-10-13 Thread Michael Niedermayer
On Tue, Oct 13, 2015 at 12:26:24PM -0400, Ganesh Ajjanagadde wrote:
> Partially fixes Ticket 4727.
> 
> -duration is not a safe expression, since duration can be INT_MIN.
> One might ask how it can become INT_MIN.
> Although it is true that line 2574 is no longer reached with INT_MIN due
> to commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d (which fixed another
> integer overflow issue), mov_update_dts_shift is called on line 3549 as
> well, right after a read of untrusted data.
> One can do the fix locally there, but that function is already a huge
> mess. Changing mov_update_dts_shift is likely better.
> 
> This changes duration to INT_MIN + 1 in such cases. This should not make any
> practical difference since such streams are anyway fuzzer files.
> 
> Tested with FATE.
> 
> Signed-off-by: Ganesh Ajjanagadde 
> ---
>  libavformat/mov.c | 4 
>  1 file changed, 4 insertions(+)

LGTM

thx

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.


signature.asc
Description: Digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel