demux/demux_edl.c:246: signed integer overflow in hls_bitrate calculation

[51511]

mpv Information

mpv v0.40.0 Copyright © 2000-2025 mpv/MPlayer/mplayer2 projects
libplacebo version: v7.349.0
FFmpeg version: 7.1.2-0+deb13u1 (runtime 7.1.4-0+deb13u1)
FFmpeg library versions:
   libavcodec      61.19.101
   libavdevice     61.3.100
   libavfilter     10.4.100 (runtime 10.5.100)
   libavformat     61.7.100 (runtime 61.7.102)
   libavutil       59.39.100
   libswresample   5.3.100
   libswscale      8.3.100

Important Information

- Platform version: Ubuntu (Linux x86_64)
- GPU model, driver and version: N/A (audio-only reproduction)
- Source of mpv: Built from source (v0.40.0 tag)
- Latest known working version: N/A (logic bug, not a regression)
- Issue started after the following happened: Found during code review

Reproduction Steps

1. Create a test audio file:
   ffmpeg -f lavfi -i "sine=frequency=440:duration=2" /tmp/test.mp4

2. Create poc.edl:

   mpv EDL v0

   /tmp/test.mp4
   !track_meta,byterate=268435456

3. Run:
   mpv --no-video --length=0.1 poc.edl

Expected Behavior

byterate=268435456 should be clamped or rejected. hls_bitrate should not overflow.

Actual Behavior

Signed integer overflow occurs at demux/demux_edl.c:246:

sh->hls_bitrate = get_param_int(&ctx, "byterate", 0) * 8;

get_param_int() correctly clamps the value to INT_MAX, but the multiplication
by 8 is performed as signed int with no guard. byterate >= 268435456 causes UB.

UBSan output (built with -fsanitize=undefined,signed-integer-overflow):
demux/demux_edl.c:246:70: runtime error: signed integer overflow:
268435456 * 8 cannot be represented in type 'int'

The overflowed negative value then affects HLS track selection logic in
player/loadfile.c:499-508, bypassing --hls-bitrate limits.

Suggested fix:
int64_t br = (int64_t)get_param_int(&ctx, "byterate", 0) * 8;
sh->hls_bitrate = (int)MPMIN(br, INT_MAX);

Log File

mpv_poc.log

Sample Files

poc.edl.zip

I carefully read all instruction and confirm that I did the following:

• I tested and confirmed that the issue exists with the latest release version or newer.
• I provided all required information including system and mpv version.
• I produced the log file with the exact same set of files, parameters, and conditions used in "Reproduction Steps", with the addition of --log-file=output.txt.
• I produced the log file while the behaviors described in "Actual Behavior" were actively observed.
• I attached the full, untruncated log file.
• I attached the backtrace in the case of a crash.

[CounterPillow]

why do LLMs love explicit casts so much? sh->hls_bitrate = (int)MPMIN(br, INT_MAX); is complete nonsense. The cast isn't needed.

The promotion to 64-bit can also be avoided by doing

if (__builtin_smul_overflow(get_param_int(&ctx, "byterate", 0), 8, &sh->hls_bitrate))
    sh->hls_bitrate = INT_MAX;

[kasper93]

The promotion to 64-bit can also be avoided by doing

I would avoid proposing non-standard builtins. Just use ckd_mul at this point.

[CounterPillow]

The promotion to 64-bit can also be avoided by doing

I would avoid proposing non-standard builtins. Just use ckd_mul at this point.

C23 stay winning