From a9137110eda130ba07a2a43bdedff2421efbb7a9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 21:18:14 +0200
Subject: avformat/sbgdec: Check for period overflow

Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sbgdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libavformat')

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index c1995759a8..73b5be9007 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -1273,7 +1273,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate,
     /* SBaGen handles the time before and after the extremal events,
        and the corresponding transitions, as if the sequence were cyclic
        with a 24-hours period. */
-    period = s->events[s->nb_events - 1].ts - s->events[0].ts;
+    period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts;
+    if (period < 0)
+        return AVERROR_INVALIDDATA;
+
     period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS;
     period = FFMAX(period, DAY_TS);
 
-- 
cgit v1.2.3