avformat/sbgdec: Check for overflow in timestamp preparation

Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-04-27 20:53:32 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-10-06 14:41:41 +0200
commit: b0e211ae39dec1c0ba6ff1dbff9d59c83f909697 (patch)
tree: eba256643fea58d797823300074a79d4da1fac6d
parent: 5b679de4582153e5f340b82fb66fe78b15994bcb (diff)
download: ffmpeg-b0e211ae39dec1c0ba6ff1dbff9d59c83f909697.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index ae59c56d5b..54279be5ca 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -1289,6 +1289,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate,
         ev1 = &s->events[i];
         ev2 = &s->events[(i + 1) % s->nb_events];
         ev1->ts_int   = ev1->ts;
+
+        if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period)
+            return AVERROR_INVALIDDATA;
+
         ev1->ts_trans = ev1->fade.slide ? ev1->ts
                                         : ev2->ts + (ev1 < ev2 ? 0 : period);
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2021-04-27 20:53:32 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-10-06 14:41:41 +0200
commit	b0e211ae39dec1c0ba6ff1dbff9d59c83f909697 (patch)
tree	eba256643fea58d797823300074a79d4da1fac6d
parent	5b679de4582153e5f340b82fb66fe78b15994bcb (diff)
download	ffmpeg-b0e211ae39dec1c0ba6ff1dbff9d59c83f909697.tar.gz