From b71b35814b563b4e5245885eb68b92dff99039f0 Mon Sep 17 00:00:00 2001
From: Paul Adenot <paul@paul.cx>
Date: Fri, 13 Feb 2026 15:27:38 +0100
Subject: [PATCH] Fix integer overflow in composition time calculation

Use checked_add() instead of unchecked addition when calculating
start_composition and end_composition times. Malformed MP4 files
could trigger integer overflow, causing a panic in debug builds.

The fix returns None when overflow is detected, allowing the error
to propagate gracefully rather than crashing.

Fixes Mozilla bug 2014838.
---
 mp4parse/src/unstable.rs | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/mp4parse/src/unstable.rs b/mp4parse/src/unstable.rs
index c8a4c5f5..7de7ca95 100644
--- a/mp4parse/src/unstable.rs
+++ b/mp4parse/src/unstable.rs
@@ -239,8 +239,23 @@ pub fn create_sample_table(
 
         let start_decode = decode_time;
 
-        sample.start_composition = CheckedInteger(track_offset_time.0 + start_composition?.0);
-        sample.end_composition = CheckedInteger(track_offset_time.0 + end_composition?.0);
+        let start_composition_val: i64 = match start_composition {
+            Some(sc) => sc.0,
+            None => return None,
+        };
+        let end_composition_val: i64 = match end_composition {
+            Some(ec) => ec.0,
+            None => return None,
+        };
+
+        let track_offset: i64 = track_offset_time.0;
+
+        sample.start_composition = CheckedInteger(
+            track_offset.checked_add(start_composition_val)?
+        );
+        sample.end_composition = CheckedInteger(
+            track_offset.checked_add(end_composition_val)?
+        );
         sample.start_decode = CheckedInteger(start_decode.0);
     }