PR #22370 opened by Ted Meyer (usepgp) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22370 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22370.patch
A chromium UBSAN fuzzer caught this instance. >From e367e5b76f0ece76a9e3dd9ed3e1f34d067c8944 Mon Sep 17 00:00:00 2001 From: Ted Meyer <[email protected]> Date: Tue, 3 Mar 2026 12:52:25 -0800 Subject: [PATCH] Handle potential integer overflow in MOV parser A chromium UBSAN fuzzer caught this instance. --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 396a559fa4..c3e9ecab72 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4327,7 +4327,12 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) st->index, edit_list_index, edit_list_media_time, edit_list_duration); edit_list_index++; edit_list_dts_counter = edit_list_dts_entry_end; - edit_list_dts_entry_end += edit_list_duration; + edit_list_dts_entry_end = av_sat_add64(edit_list_dts_entry_end, edit_list_duration); + if (edit_list_dts_entry_end == INT64_MAX) { + av_log(mov->fc, AV_LOG_ERROR, "Cannot calculate dts entry length with duration %"PRId64"\n", + edit_list_duration); + break; + } num_discarded_begin = 0; if (!found_non_empty_edit && edit_list_media_time == -1) { empty_edits_sum_duration += edit_list_duration; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
