From 367929bed9def1ccdd9a0f4ac5b7b98d1993782d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Mar 2018 23:12:57 +0100 Subject: avformat/mov: Fix integer overflow in mov_get_stsc_samples() Fixes: runtime error: signed integer overflow: 5 * -2147483647 cannot be represented in type 'int' Fixes: Chromium bug 817338 Reviewed-by: Matt Wolenetz Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'libavformat/mov.c') diff --git a/libavformat/mov.c b/libavformat/mov.c index 95b9cd3f8b..7002a82787 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2645,7 +2645,7 @@ static inline int mov_stsc_index_valid(unsigned int index, unsigned int count) } /* Compute the samples value for the stsc entry at the given index. */ -static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) +static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) { int chunk_count; @@ -2654,7 +2654,7 @@ static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) else chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); - return sc->stsc_data[index].count * chunk_count; + return sc->stsc_data[index].count * (int64_t)chunk_count; } static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) @@ -7189,12 +7189,13 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, /* adjust stsd index */ time_sample = 0; for (i = 0; i < sc->stsc_count; i++) { - int next = time_sample + mov_get_stsc_samples(sc, i); + int64_t next = time_sample + mov_get_stsc_samples(sc, i); if (next > sc->current_sample) { sc->stsc_index = i; sc->stsc_sample = sc->current_sample - time_sample; break; } + av_assert0(next == (int)next); time_sample = next; } -- cgit v1.2.3