From 7d7ae689729ab331d67c2e17442715c75aca6e4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 11:54:16 +0100 Subject: avformat/avidec: Use av_sat_sub64() in check_stream_max_drift() Fixes: signed integer overflow: 8833900919969684211 - -9223372036854775808 cannot be represented in type 'long' Fixes: 26726/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5669377724383232 Fixes: 27587/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6294562263531520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 7e527e15ee..57dc54452b 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1691,18 +1691,19 @@ static int check_stream_max_drift(AVFormatContext *s) AVIStream *ast = st->priv_data; if (idx[i] && min_dts != INT64_MAX / 2) { - int64_t dts; + int64_t dts, delta_dts; dts = av_rescale_q(st->internal->index_entries[idx[i] - 1].timestamp / FFMAX(ast->sample_size, 1), st->time_base, AV_TIME_BASE_Q); + delta_dts = av_sat_sub64(dts, min_dts); max_dts = FFMAX(max_dts, dts); max_buffer = FFMAX(max_buffer, - av_rescale(dts - min_dts, + av_rescale(delta_dts, st->codecpar->bit_rate, AV_TIME_BASE)); } } - if (max_dts - min_dts > 2 * AV_TIME_BASE || + if (av_sat_sub64(max_dts, min_dts) > 2 * AV_TIME_BASE || max_buffer > 1024 * 1024 * 8 * 8) { av_free(idx); return 1; -- cgit v1.2.3