virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-10-30 23:18:11 +02:00
Code Issues Releases Activity

avformat/subviewerdec: Make read_ts() more flexible

Browse Source 
Fixes: signed integer overflow: -1948269928 * 10 cannot be represented in type 'int'
Fixes: 49451/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6344614822412288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This commit is contained in:
Michael Niedermayer
2020-03-22 00:54:58 +01:00
parent a44f5a5212
commit 58a8e739ef
1 changed files with 20 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
libavformat/subviewerdec.c
View File

@@ -50,26 +50,32 @@ static int subviewer_probe(const AVProbeData *p)
return 0;
}
static int get_multiplier(int e) {
switch (e) {
case 1 : return 100;
case 2 : return 10;
case 3 : return 1;
default : return -1;
}
}
static int read_ts(const char *s, int64_t *start, int *duration)
{
int64_t end;
int hh1, mm1, ss1, ms1;
int hh2, mm2, ss2, ms2;
int multiplier = 1;
int multiplier1, multiplier2;
int ms1p1, ms1p2, ms2p1, ms2p2;
if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
multiplier = 10;
} else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
multiplier = 100;
}
if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u",
&hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
ms1 = FFMIN(ms1, 999);
ms2 = FFMIN(ms2, 999);
end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier;
*start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier;
if (sscanf(s, "%u:%u:%u.%n%u%n,%u:%u:%u.%n%u%n",
&hh1, &mm1, &ss1, &ms1p1, &ms1, &ms1p2, &hh2, &mm2, &ss2, &ms2p1, &ms2, &ms2p2) == 8) {
multiplier1 = get_multiplier(ms1p2 - ms1p1);
multiplier2 = get_multiplier(ms2p2 - ms2p1);
if (multiplier1 <= 0 ||multiplier2 <= 0)
return -1;
end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier2;
*start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier1;
*duration = end - *start;
return 0;
}