avformat/concatdec: Check in/outpoint for overflow

Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dedc78b4b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2023-09-30 19:11:34 +02:00
parent 83c99e5ac1
commit 559b379cbd
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 3 additions and 1 deletions

View File

@ -494,7 +494,9 @@ static int concat_read_header(AVFormatContext *avf)
else
time = cat->files[i].start_time;
if (cat->files[i].user_duration == AV_NOPTS_VALUE) {
if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE)
if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE ||
cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint)
)
break;
cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint;
}