From 4c777d52b9b1048ba92cab1a658c218c38282d25 Mon Sep 17 00:00:00 2001
From: Marton Balint <cus@passwd.hu>
Date: Sun, 30 Sep 2018 22:34:41 +0200
Subject: [PATCH] avutil/parseutils: fix some overflows in duration
 calculations

Also properly return AVERROR(ERANGE) in case of actual overflows.

Signed-off-by: Marton Balint <cus@passwd.hu>
---
 libavutil/parseutils.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c
index 924c49d52cf..59bec6cc9d2 100644
--- a/libavutil/parseutils.c
+++ b/libavutil/parseutils.c
@@ -661,12 +661,15 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration)
         if (!q) {
             char *o;
             /* parse timestr as S+ */
-            dt.tm_sec = strtol(p, &o, 10);
+            errno = 0;
+            t = strtoll(p, &o, 10);
             if (o == p) /* the parsing didn't succeed */
                 return AVERROR(EINVAL);
-            dt.tm_min = 0;
-            dt.tm_hour = 0;
+            if (errno == ERANGE)
+                return AVERROR(ERANGE);
             q = o;
+        } else {
+            t = dt.tm_hour * 3600 + dt.tm_min * 60 + dt.tm_sec;
         }
     }
 
@@ -688,7 +691,6 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration)
     }
 
     if (duration) {
-        t = dt.tm_hour * 3600 + dt.tm_min * 60 + dt.tm_sec;
         if (q[0] == 'm' && q[1] == 's') {
             suffix = 1000;
             microseconds /= 1000;
@@ -734,7 +736,11 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration)
     if (*q)
         return AVERROR(EINVAL);
 
+    if (INT64_MAX / suffix < t)
+        return AVERROR(ERANGE);
     t *= suffix;
+    if (INT64_MAX - microseconds < t)
+        return AVERROR(ERANGE);
     t += microseconds;
     *timeval = negative ? -t : t;
     return 0;
-- 
GitLab