On 6/24/2021 5:57 PM, Michael Niedermayer wrote:
Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000
cannot be represented in type 'long'
Fixes:
35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/sbgdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index dafdc4a1cc..0a6e927e57 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct sbg_script
*s)
}
if (s->start_ts == AV_NOPTS_VALUE)
s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t :
now;
+ if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts +
(uint64_t)s->opt_duration)
Can't this instead be an if (s->start_ts > INT64_MAX - s->opt_duration)
check? Both s->start_ts and s->opt_duration are apparently guaranteed to
be positive.
+ return AVERROR_INVALIDDATA;
+
s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration :
AV_NOPTS_VALUE; /* may be overridden later by -E option */
cur_ts = now;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
