[FFmpeg-cvslog] avformat/sbgdec: Check for overflow in timestamp preparation
Michael Niedermayer
git at videolan.org
Wed Sep 8 22:43:42 EEST 2021
ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Tue Apr 27 20:53:32 2021 +0200| [3a18a6acc4b3cd60d2cf2af946f1a11af7c4600b] | committer: Michael Niedermayer
avformat/sbgdec: Check for overflow in timestamp preparation
Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a18a6acc4b3cd60d2cf2af946f1a11af7c4600b
---
libavformat/sbgdec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index 83016d0c13..9530ea42a5 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -1291,6 +1291,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate,
ev1 = &s->events[i];
ev2 = &s->events[(i + 1) % s->nb_events];
ev1->ts_int = ev1->ts;
+
+ if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period)
+ return AVERROR_INVALIDDATA;
+
ev1->ts_trans = ev1->fade.slide ? ev1->ts
: ev2->ts + (ev1 < ev2 ? 0 : period);
}
More information about the ffmpeg-cvslog
mailing list