[FFmpeg-cvslog] avformat/sbgdec: Check for timestamp overflow in parse_time_sequence()
Michael Niedermayer
git at videolan.org
Tue Oct 20 11:27:44 EEST 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Oct 19 16:24:58 2020 +0200| [685ed1cbd139d1da04d432a3d3be9929666761bf] | committer: Michael Niedermayer
avformat/sbgdec: Check for timestamp overflow in parse_time_sequence()
Fixes: signed integer overflow: 3458015007900000256 + 6425686373040000000 cannot be represented in type 'long'
Fixes: 26430/clusterfuzz-testcase-minimized-ffmpeg_dem_BRSTM_fuzzer-5761175004119040
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=685ed1cbd139d1da04d432a3d3be9929666761bf
---
libavformat/sbgdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index c11244ef3d..4d6ae7abc5 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -538,6 +538,9 @@ static int parse_time_sequence(struct sbg_parser *p, int inblock)
return AVERROR_INVALIDDATA;
}
ts.type = p->current_time.type;
+
+ if (av_sat_add64(p->current_time.t, rel_ts) != p->current_time.t + (uint64_t)rel_ts)
+ return AVERROR_INVALIDDATA;
ts.t = p->current_time.t + rel_ts;
r = parse_fade(p, &fade);
if (r < 0)
More information about the ffmpeg-cvslog
mailing list