| Message ID | 20230930223046.22896-7-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | a9137110eda130ba07a2a43bdedff2421efbb7a9 |
| Headers | show |
| Series | [FFmpeg-devel,01/15] avformat/concatdec: Check in/outpoint for overflow | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
Michael Niedermayer (12023-10-01): > Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' > Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/sbgdec.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) No objections. Regards,
On Tue, Oct 03, 2023 at 01:06:43PM +0200, Nicolas George wrote: > Michael Niedermayer (12023-10-01): > > Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' > > Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/sbgdec.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > No objections. will apply thx [...]
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index c1995759a8f..73b5be9007d 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1273,7 +1273,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS);
Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)