sbgdec: Check opt_duration and start for overflow

Michael Niedermayer Thu, 24 Jun 2021 13:59:35 -0700

Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 
cannot be represented in type 'long'
Fixes: 
35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672


Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavformat/sbgdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index dafdc4a1cc..0a6e927e57 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct sbg_script 
*s)
     }
     if (s->start_ts == AV_NOPTS_VALUE)
         s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : 
now;
+    if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts + 
(uint64_t)s->opt_duration)
+        return AVERROR_INVALIDDATA;
+
     s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration :
                 AV_NOPTS_VALUE; /* may be overridden later by -E option */
     cur_ts = now;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/3] avformat/sbgdec: Check opt_duration and start for overflow

Reply via email to