Re: [FFmpeg-devel] [PATCH 2/3] avformat/sbgdec: Check opt_duration and start for overflow

Fri, 25 Jun 2021 13:32:45 -0700 

On 6/25/2021 12:58 PM, Michael Niedermayer wrote:

On Fri, Jun 25, 2021 at 09:22:03AM -0300, James Almer wrote:

On 6/24/2021 5:57 PM, Michael Niedermayer wrote:

Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 
cannot be represented in type 'long'
Fixes: 
35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
   libavformat/sbgdec.c | 3 +++
   1 file changed, 3 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index dafdc4a1cc..0a6e927e57 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -935,6 +935,9 @@ static int expand_timestamps(void *log, struct sbg_script 
*s)
       }
       if (s->start_ts == AV_NOPTS_VALUE)
           s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : 
now;
+    if (av_sat_add64(s->start_ts, s->opt_duration) != s->start_ts + 
(uint64_t)s->opt_duration)


Can't this instead be an if (s->start_ts > INT64_MAX - s->opt_duration)
check? Both s->start_ts and s->opt_duration are apparently guaranteed to be
positive.


The variables are read by str_to_time() which looks like it can read negative
numbers.
Afaics, it checks the very first character to be < '0' || > '9' for both hours and minutes, so strtol() is not going to see a '-'. Is there supposed to be one for seconds in valid files? If not, the same check could be done and ensure no negative value is parsed. 


But maybe iam missing something

thx

[...]


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".



_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to