From 2838f8f54c459deeafe015cc059e3ca9987f4cb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 16:49:17 +0200
Subject: [PATCH] avformat/lrcdec: limit input timestamp range to avoid
 overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/lrcdec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 18dc955917..4a7fd80c68 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,7 @@ static int64_t count_ts(const char *p)
 static int64_t read_ts(const char *p, int64_t *start)
 {
     int64_t offset = 0;
-    uint64_t mm;
+    uint32_t mm;
     double ss;
     char prefix[3];
 
@@ -87,8 +87,8 @@ static int64_t read_ts(const char *p, int64_t *start)
     if(p[offset] != '[') {
         return 0;
     }
-    int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
-    if (ret != 3 || prefix[0] != '[') {
+    int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+    if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
         return 0;
     }
     *start = (mm * 60 + ss) * AV_TIME_BASE;