virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-10-30 23:18:11 +02:00
Code Issues Releases Activity

avformat/sbgdec: Check for overflow in last loop in expand_timestamps()

Browse Source 
Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long'
Fixes: 31003/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6256298771480576

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2021-03-06 00:10:05 +01:00
parent be08b84f8b
commit f44068db1e
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavformat/sbgdec.c
View File

@@ -891,7 +891,7 @@ fail:
return size;
}
static void expand_timestamps(void *log, struct sbg_script *s)
static int expand_timestamps(void *log, struct sbg_script *s)
{
int i, nb_rel = 0;
int64_t now, cur_ts, delta = 0;
@@ -939,10 +939,13 @@ static void expand_timestamps(void *log, struct sbg_script *s)
AV_NOPTS_VALUE; /* may be overridden later by -E option */
cur_ts = now;
for (i = 0; i < s->nb_tseq; i++) {
if (av_sat_add64(s->tseq[i].ts.t, delta) != s->tseq[i].ts.t + (uint64_t)delta)
return AVERROR_INVALIDDATA;
if (s->tseq[i].ts.t + delta < cur_ts)
delta += DAY_TS;
cur_ts = s->tseq[i].ts.t += delta;
}
return 0;
}
static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max,
@@ -995,7 +998,9 @@ static int expand_script(void *log, struct sbg_script *s)
{
int i, r, nb_events_max = 0;
expand_timestamps(log, s);
r = expand_timestamps(log, s);
if (r < 0)
return r;
for (i = 0; i < s->nb_tseq; i++) {
r = expand_tseq(log, s, &nb_events_max, 0, &s->tseq[i]);
if (r < 0)