avformat/sbgdec: Check for t0 overflow in expand_tseq()

Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long' Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f624c92d4c6fa73dfa95959d886090af6790bc36) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-09-15 22:00:44 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-10-06 14:41:42 +0200
commit: 1b4ab72ad64c27cbacbf8abba735b87dff9af605 (patch)
tree: a425206c6b5f2a65576b9adc492f9d45c8173e78
parent: 70291713b0e0bf68494855030572e778e182f376 (diff)
download: ffmpeg-1b4ab72ad64c27cbacbf8abba735b87dff9af605.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index b880f4aa1e..5bc914169b 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -962,6 +962,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max,
                tseq->name_len, tseq->name);
         return AVERROR(EINVAL);
     }
+    if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t))
+        return AVERROR(EINVAL);
+
     t0 += tseq->ts.t;
     for (i = 0; i < s->nb_def; i++) {
         if (s->def[i].name_len == tseq->name_len &&
author	Michael Niedermayer <michael@niedermayer.cc>	2021-09-15 22:00:44 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-10-06 14:41:42 +0200
commit	1b4ab72ad64c27cbacbf8abba735b87dff9af605 (patch)
tree	a425206c6b5f2a65576b9adc492f9d45c8173e78
parent	70291713b0e0bf68494855030572e778e182f376 (diff)
download	ffmpeg-1b4ab72ad64c27cbacbf8abba735b87dff9af605.tar.gz