Message ID | 20200608101451.10928-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3 |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/thp: Check fps | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
On Mon, Jun 08, 2020 at 12:14:49PM +0200, Michael Niedermayer wrote: > Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' > Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mpl2dec.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) will apply [...]
diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 4ae18390f0..ddee638c31 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(const AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break;
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mpl2dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)