virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-29 22:00:58 +02:00
Code Issues Releases Activity

avformat/sbgdec: Check for t0 overflow in expand_tseq()

Browse Source 
Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long'
Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f624c92d4c6fa73dfa95959d886090af6790bc36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-09-15 22:00:44 +02:00
parent 598d3614fd
commit 1d2a398827
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/sbgdec.c
View File

@ -964,6 +964,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max,
tseq->name_len, tseq->name);
return AVERROR(EINVAL);
}
if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t))
return AVERROR(EINVAL);
t0 += tseq->ts.t;
for (i = 0; i < s->nb_def; i++) {
if (s->def[i].name_len == tseq->name_len &&