This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new fc7cab6be3 avformat/mov: Handle integer overflow in MOV parser
fc7cab6be3 is described below
commit fc7cab6be30b3dde0fd80cc122995c099dfac4e2
Author: Ted Meyer <[email protected]>
AuthorDate: Tue Mar 3 12:52:25 2026 -0800
Commit: Ted Meyer <[email protected]>
CommitDate: Tue Mar 24 23:48:18 2026 +0000
avformat/mov: Handle integer overflow in MOV parser
A chromium UBSAN fuzzer caught this instance.
---
libavformat/mov.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2496b4fe5b..e2e6b1c5f3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4333,7 +4333,12 @@ static void mov_fix_index(MOVContext *mov, AVStream *st)
st->index, edit_list_index, edit_list_media_time,
edit_list_duration);
edit_list_index++;
edit_list_dts_counter = edit_list_dts_entry_end;
- edit_list_dts_entry_end += edit_list_duration;
+ edit_list_dts_entry_end = av_sat_add64(edit_list_dts_entry_end,
edit_list_duration);
+ if (edit_list_dts_entry_end == INT64_MAX) {
+ av_log(mov->fc, AV_LOG_ERROR, "Cannot calculate dts entry length
with duration %"PRId64"\n",
+ edit_list_duration);
+ break;
+ }
num_discarded_begin = 0;
if (!found_non_empty_edit && edit_list_media_time == -1) {
empty_edits_sum_duration += edit_list_duration;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
