From 2768928624793f66694f7f2b0824f052e69e3557 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 24 Jun 2021 18:57:51 +0200
Subject: [PATCH] avformat/sbgdec: Check opt_duration and start for overflow

Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 cannot be represented in type 'long'
Fixes: 35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sbgdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index 21a918db44..50e10f25f6 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -936,6 +936,9 @@ static int expand_timestamps(void *log, struct sbg_script *s)
     }
     if (s->start_ts == AV_NOPTS_VALUE)
         s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now;
+    if (s->start_ts > INT64_MAX - s->opt_duration)
+        return AVERROR_INVALIDDATA;
+
     s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration :
                 AV_NOPTS_VALUE; /* may be overridden later by -E option */
     cur_ts = now;