diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-15 22:00:44 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-10-05 23:19:39 +0200 |
commit | 1d2a3988270faa0dff5a3eff500d71c01789bf29 (patch) | |
tree | ab1cd3c592d7762fdf99cb265be5ec9d52a45003 | |
parent | 598d3614fd19a23d5b4f8ce2b179355a1cff3e5c (diff) | |
download | ffmpeg-1d2a3988270faa0dff5a3eff500d71c01789bf29.tar.gz |
avformat/sbgdec: Check for t0 overflow in expand_tseq()
Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long'
Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f624c92d4c6fa73dfa95959d886090af6790bc36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavformat/sbgdec.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 55a5e27c1f..36cfff20fc 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -964,6 +964,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max, tseq->name_len, tseq->name); return AVERROR(EINVAL); } + if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t)) + return AVERROR(EINVAL); + t0 += tseq->ts.t; for (i = 0; i < s->nb_def; i++) { if (s->def[i].name_len == tseq->name_len && |