avformat/sbgdec: Check for timestamp overflow in parse_time_sequence()

Fixes: signed integer overflow: 3458015007900000256 + 6425686373040000000 cannot be represented in type 'long' Fixes: 26430/clusterfuzz-testcase-minimized-ffmpeg_dem_BRSTM_fuzzer-5761175004119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-19 16:24:58 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-20 10:27:31 +0200
commit: 685ed1cbd139d1da04d432a3d3be9929666761bf (patch)
tree: f762c550d9f52115c6af8936ce98462a588975ff /libavformat
parent: a2b1dd0ce301450a47c972745a6b33c4c273aa5d (diff)
download: ffmpeg-685ed1cbd139d1da04d432a3d3be9929666761bf.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index c11244ef3d..4d6ae7abc5 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -538,6 +538,9 @@ static int parse_time_sequence(struct sbg_parser *p, int inblock)
         return AVERROR_INVALIDDATA;
     }
     ts.type = p->current_time.type;
+
+    if (av_sat_add64(p->current_time.t, rel_ts) != p->current_time.t + (uint64_t)rel_ts)
+        return AVERROR_INVALIDDATA;
     ts.t    = p->current_time.t + rel_ts;
     r = parse_fade(p, &fade);
     if (r < 0)
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-19 16:24:58 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-20 10:27:31 +0200
commit	685ed1cbd139d1da04d432a3d3be9929666761bf (patch)
tree	f762c550d9f52115c6af8936ce98462a588975ff /libavformat
parent	a2b1dd0ce301450a47c972745a6b33c4c273aa5d (diff)
download	ffmpeg-685ed1cbd139d1da04d432a3d3be9929666761bf.tar.gz