diff mbox series

[FFmpeg-devel,3/4] avformat/jacosubdec: Use 64bit inside get_shift()

Message ID 20201019155955.27725-3-michael@niedermayer.cc
State Accepted
Commit 715ff75e5dbbbefff7337351db596a9b7a5d4379
Headers show
Series [FFmpeg-devel,1/4] avformat/genh: Check block_align | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 19, 2020, 3:59 p.m. UTC 
Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int'
Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/jacosubdec.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

Comments

Michael Niedermayer Oct. 24, 2020, 5:09 p.m. UTC | #1 
On Mon, Oct 19, 2020 at 05:59:54PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int'
> Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/jacosubdec.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index 3414eb3938..e70ceeaafd 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -136,6 +136,7 @@  static int get_shift(int timeres, const char *buf)
 {
     int sign = 1;
     int a = 0, b = 0, c = 0, d = 0;
+    int64_t ret;
 #define SSEP "%*1[.:]"
     int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
 #undef SSEP
@@ -145,13 +146,16 @@  static int get_shift(int timeres, const char *buf)
         a = FFABS(a);
     }
 
+    ret = 0;
     switch (n) {
-    case 4: return sign * ((a*3600 + b*60 + c) * timeres + d);
-    case 3: return sign * ((         a*60 + b) * timeres + c);
-    case 2: return sign * ((                a) * timeres + b);
+    case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d);
+    case 3: ret = sign * ((         (int64_t)a*60 + b) * timeres + c);
+    case 2: ret = sign * ((                (int64_t)a) * timeres + b);
     }
+    if ((int)ret != ret)
+        ret = 0;
 
-    return 0;
+    return ret;
 }
 
 static int jacosub_read_header(AVFormatContext *s)