On 6/25/2021 12:58 PM, Michael Niedermayer wrote:
On Fri, Jun 25, 2021 at 09:22:03AM -0300, James Almer wrote:
On 6/24/2021 5:57 PM, Michael Niedermayer wrote:
Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000
cannot be represented in type 'long'
Fixes:
35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/sbgdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index dafdc4a1cc..0a6e927e57 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct sbg_script
*s)
}
if (s->start_ts == AV_NOPTS_VALUE)
s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t :
now;
+ if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts +
(uint64_t)s->opt_duration)
Can't this instead be an if (s->start_ts > INT64_MAX - s->opt_duration)
check? Both s->start_ts and s->opt_duration are apparently guaranteed to be
positive.
The variables are read by str_to_time() which looks like it can read negative
numbers.
Afaics, it checks the very first character to be < '0' || > '9' for both
hours and minutes, so strtol() is not going to see a '-'.
Is there supposed to be one for seconds in valid files? If not, the same
check could be done and ensure no negative value is parsed.
But maybe iam missing something
thx
[...]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".