avformat/concatdec: Check in/outpoint for overflow

Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit dedc78b4b5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 year ago · afb5d20e23
parent 53bcb6eaf5
commit afb5d20e23
1 changed files with 3 additions and 1 deletions
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@ -667,7 +667,9 @@ static int concat_read_header(AVFormatContext *avf)
        else
            time = cat->files[i].start_time;
        if (cat->files[i].user_duration == AV_NOPTS_VALUE) {
-            if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE)
+            if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE ||
+                cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint)
+            )
                break;
            cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint;
        }