diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2019-09-05 23:06:21 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-09-24 17:53:39 +0200 |
| commit | 72db18e929cf3310cfc2a6eb4170a0d390e5a105 (patch) | |
| tree | e90beadfab56edb07ea597468e7fa6afe07d8abc | |
| parent | c7ccbf40edb81d40727cca3a7ffd1848d3ed880a (diff) | |
| download | ffmpeg-72db18e929cf3310cfc2a6eb4170a0d390e5a105.tar.gz | |
avformat/utils: Do not assume duration is non negative in compute_pkt_fields()
Several subtitle demuxers set negative durations
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 16925/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5766519790764032
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/utils.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c index 3983a3f4ce..3168931587 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1299,7 +1299,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, } duration = av_mul_q((AVRational) {pkt->duration, 1}, st->time_base); - if (pkt->duration == 0) { + if (pkt->duration <= 0) { ff_compute_frame_duration(s, &num, &den, st, pc, pkt); if (den && num) { duration = (AVRational) {num, den}; @@ -1310,7 +1310,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, } } - if (pkt->duration != 0 && (s->internal->packet_buffer || s->internal->parse_queue)) + if (pkt->duration > 0 && (s->internal->packet_buffer || s->internal->parse_queue)) update_initial_durations(s, st, pkt->stream_index, pkt->duration); /* Correct timestamps with byte offset if demuxers only have timestamps @@ -1370,7 +1370,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, * by knowing the future. */ } else if (pkt->pts != AV_NOPTS_VALUE || pkt->dts != AV_NOPTS_VALUE || - pkt->duration ) { + pkt->duration > 0 ) { /* presentation is not delayed : PTS and DTS are the same */ if (pkt->pts == AV_NOPTS_VALUE) @@ -1380,7 +1380,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, if (pkt->pts == AV_NOPTS_VALUE) pkt->pts = st->cur_dts; pkt->dts = pkt->pts; - if (pkt->pts != AV_NOPTS_VALUE) + if (pkt->pts != AV_NOPTS_VALUE && duration.num >= 0) st->cur_dts = av_add_stable(st->time_base, pkt->pts, duration, 1); } } |