On Fri, Jun 25, 2021 at 09:22:03AM -0300, James Almer wrote: > On 6/24/2021 5:57 PM, Michael Niedermayer wrote: > > Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 > > cannot be represented in type 'long' > > Fixes: > > 35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavformat/sbgdec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c > > index dafdc4a1cc..0a6e927e57 100644 > > --- a/libavformat/sbgdec.c > > +++ b/libavformat/sbgdec.c > > @@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct > > sbg_script *s) > > } > > if (s->start_ts == AV_NOPTS_VALUE) > > s->start_ts = (s->opt_start_at_first && s->tseq) ? > > s->tseq[0].ts.t : now; > > + if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts + > > (uint64_t)s->opt_duration) > > Can't this instead be an if (s->start_ts > INT64_MAX - s->opt_duration) > check? Both s->start_ts and s->opt_duration are apparently guaranteed to be > positive.
The variables are read by str_to_time() which looks like it can read negative numbers. But maybe iam missing something thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I do not agree with what you have to say, but I'll defend to the death your right to say it. -- Voltaire
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".