[FFmpeg-cvslog] avformat/sbgdec: Check for t0 overflow in expand_tseq()

Michael Niedermayer git at videolan.org
Wed Oct 6 19:07:37 EEST 2021


ffmpeg | branch: release/4.4 | Michael Niedermayer <michael at niedermayer.cc> | Wed Sep 15 22:00:44 2021 +0200| [1d2a3988270faa0dff5a3eff500d71c01789bf29] | committer: Michael Niedermayer

avformat/sbgdec: Check for t0 overflow in expand_tseq()

Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long'
Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f624c92d4c6fa73dfa95959d886090af6790bc36)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d2a3988270faa0dff5a3eff500d71c01789bf29
---

 libavformat/sbgdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index 55a5e27c1f..36cfff20fc 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -964,6 +964,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max,
                tseq->name_len, tseq->name);
         return AVERROR(EINVAL);
     }
+    if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t))
+        return AVERROR(EINVAL);
+
     t0 += tseq->ts.t;
     for (i = 0; i < s->nb_def; i++) {
         if (s->def[i].name_len == tseq->name_len &&



More information about the ffmpeg-cvslog mailing list