avformat/sbgdec: Check that end is not before start

Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9ef60a66f1f155605049402415bd901c8baf1a24) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-11-10 00:04:50 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-02-02 14:18:21 +0100
commit: a0c75b800fa98f2796a3867e600f910ced323ae5 (patch)
tree: 519ef403d2d57f46609c82315e4d6d5cb973f3fb
parent: 04f802e729e224e9a4c831b64e9d27c87c25cfb6 (diff)
download: ffmpeg-a0c75b800fa98f2796a3867e600f910ced323ae5.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index ae2e0a0d02..924a6d979c 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -1414,6 +1414,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf)
     if (r < 0)
         goto fail;
 
+    if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) {
+        r = AVERROR_INVALIDDATA;
+        goto fail;
+    }
+
     st = avformat_new_stream(avf, NULL);
     if (!st)
         return AVERROR(ENOMEM);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-11-10 00:04:50 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-02-02 14:18:21 +0100
commit	a0c75b800fa98f2796a3867e600f910ced323ae5 (patch)
tree	519ef403d2d57f46609c82315e4d6d5cb973f3fb
parent	04f802e729e224e9a4c831b64e9d27c87c25cfb6 (diff)
download	ffmpeg-a0c75b800fa98f2796a3867e600f910ced323ae5.tar.gz