From c5cc3b08e56fc95665977544486bd9f06e4b7a72 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 3 Aug 2016 13:34:40 +0200
Subject: [PATCH] avformat/oggdec: Fix integer overflow with invalid pts

If negative pts are possible for some codecs in ogg then the code needs to be
changed to use signed values.

Found-by: Thomas Guilbert <tguilbert@google.com>
Fixes: clusterfuzz_usan-2016-08-02
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/oggdec.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h
index d7af1cfabd..4a2b6ddee8 100644
--- a/libavformat/oggdec.h
+++ b/libavformat/oggdec.h
@@ -162,6 +162,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts)
         if (dts)
             *dts = pts;
     }
+    if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) {
+        // The return type is unsigned, we thus cannot return negative pts
+        av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts);
+        pts = AV_NOPTS_VALUE;
+    }
 
     return pts;
 }