[FFmpeg-cvslog] avformat/realtextdec: Avoid undefined overflow in the end of read_ts()

Tue Jan 26 20:09:30 EET 2021

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jan 16 23:37:41 2021 +0100| [aa1b8e6898f861cc065c3b0fe315e826a324d0a9] | committer: Michael Niedermayer

avformat/realtextdec: Avoid undefined overflow in the end of read_ts()

Fixes: signed integer overflow: 234080282628234040 * 100 cannot be represented in type 'long long'
Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6649867065753600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa1b8e6898f861cc065c3b0fe315e826a324d0a9
---

 libavformat/realtextdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c
index 390f8ddc67..f534774420 100644
--- a/libavformat/realtextdec.c
+++ b/libavformat/realtextdec.c
@@ -54,7 +54,7 @@ static int64_t read_ts(const char *s)
     if (sscanf(s,    "%u:%u.%u",      &mm, &ss, &ms) == 3) return (            mm*60LL + ss) * 100LL + ms;
     if (sscanf(s,    "%u:%u"   ,      &mm, &ss     ) == 2) return (            mm*60LL + ss) * 100LL;
     if (sscanf(s,       "%u.%u",           &ss, &ms) == 2) return (                      ss) * 100LL + ms;
-    return strtol(s, NULL, 10) * 100LL;
+    return strtoll(s, NULL, 10) * 100ULL;
 }
 
 static int realtext_read_header(AVFormatContext *s)

