diff mbox series

[FFmpeg-devel,2/4] avformat/mpl2dec: Fix integer overflow with duration

Message ID 20200608101451.10928-2-michael@niedermayer.cc
State Accepted
Commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3
Headers show
Series [FFmpeg-devel,1/4] avformat/thp: Check fps | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Michael Niedermayer June 8, 2020, 10:14 a.m. UTC 
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mpl2dec.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer June 12, 2020, 9:43 p.m. UTC | #1 
On Mon, Jun 08, 2020 at 12:14:49PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
> Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mpl2dec.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c
index 4ae18390f0..ddee638c31 100644
--- a/libavformat/mpl2dec.c
+++ b/libavformat/mpl2dec.c
@@ -55,7 +55,7 @@  static int mpl2_probe(const AVProbeData *p)
     return AVPROBE_SCORE_MAX;
 }
 
-static int read_ts(char **line, int64_t *pts_start, int *duration)
+static int read_ts(char **line, int64_t *pts_start, int64_t *duration)
 {
     char c;
     int len;
@@ -69,7 +69,10 @@  static int read_ts(char **line, int64_t *pts_start, int *duration)
     }
     if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n",
                pts_start, &end, &c, &len) >= 3) {
-        *duration = end - *pts_start;
+        if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) {
+            *duration = -1;
+        } else
+            *duration = end - *pts_start;
         *line += len - 1;
         return 0;
     }
@@ -97,7 +100,7 @@  static int mpl2_read_header(AVFormatContext *s)
         const int64_t pos = avio_tell(s->pb);
         int len = ff_get_line(s->pb, line, sizeof(line));
         int64_t pts_start;
-        int duration;
+        int64_t duration;
 
         if (!len)
             break;