On 6/24/2021 5:57 PM, Michael Niedermayer wrote:
Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 
cannot be represented in type 'long'
Fixes: 
35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
  libavformat/sbgdec.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index dafdc4a1cc..0a6e927e57 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct sbg_script 
*s)
      }
      if (s->start_ts == AV_NOPTS_VALUE)
          s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : 
now;
+    if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts + 
(uint64_t)s->opt_duration)

Can't this instead be an if (s->start_ts > INT64_MAX - s->opt_duration) check? Both s->start_ts and s->opt_duration are apparently guaranteed to be positive.

+        return AVERROR_INVALIDDATA;
+
      s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration :
                  AV_NOPTS_VALUE; /* may be overridden later by -E option */
      cur_ts = now;


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to