[FFmpeg-devel] [PATCH 1/5] avformat/sbgdec: Check for t0 overflow in expand_tseq()
Michael Niedermayer
michael at niedermayer.cc
Wed Sep 15 23:00:44 EEST 2021
Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long'
Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/sbgdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index 50e10f25f69..5821ce967a0 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -965,6 +965,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max,
tseq->name_len, tseq->name);
return AVERROR(EINVAL);
}
+ if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t))
+ return AVERROR(EINVAL);
+
t0 += tseq->ts.t;
for (i = 0; i < s->nb_def; i++) {
if (s->def[i].name_len == tseq->name_len &&
--
2.17.1
More information about the ffmpeg-devel
mailing list