Message ID | 20210114225116.13486-3-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/7] avformat/ads: Check size | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Thu, 14 Jan 2021, Michael Niedermayer wrote: > Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' > Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavutil/parseutils.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c > index 167e822648..6161f4ac95 100644 > --- a/libavutil/parseutils.c > +++ b/libavutil/parseutils.c > @@ -736,7 +736,7 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) > if (*q) > return AVERROR(EINVAL); > > - if (INT64_MAX / suffix < t) > + if (t < 0 || INT64_MAX / suffix < t) This does not look right, because a negative t can mean a date before 1970. Regards, Marton > return AVERROR(ERANGE); > t *= suffix; > if (INT64_MAX - microseconds < t) > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Fri, Jan 15, 2021 at 09:36:26PM +0100, Marton Balint wrote: > > > On Thu, 14 Jan 2021, Michael Niedermayer wrote: > > > Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' > > Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavutil/parseutils.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c > > index 167e822648..6161f4ac95 100644 > > --- a/libavutil/parseutils.c > > +++ b/libavutil/parseutils.c > > @@ -736,7 +736,7 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) > > if (*q) > > return AVERROR(EINVAL); > > > > - if (INT64_MAX / suffix < t) > > + if (t < 0 || INT64_MAX / suffix < t) > > This does not look right, because a negative t can mean a date before 1970. indeed ive somehow mixed something up between the negative duration handling and the documentation of the error code. Will post a better patch thx [...]
diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c index 167e822648..6161f4ac95 100644 --- a/libavutil/parseutils.c +++ b/libavutil/parseutils.c @@ -736,7 +736,7 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) if (*q) return AVERROR(EINVAL); - if (INT64_MAX / suffix < t) + if (t < 0 || INT64_MAX / suffix < t) return AVERROR(ERANGE); t *= suffix; if (INT64_MAX - microseconds < t)
Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavutil/parseutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)