From b06e2975240de9aca03dd6af5c45bee964678ec4 Mon Sep 17 00:00:00 2001
From: Oleg Oshmyan <chortos@inbox.lv>
Date: Sat, 4 Feb 2017 01:05:29 +0200
Subject: Fix integer overflow while parsing \fad(arg, large negative number)

If t3 is initially negative, it should be set to a value larger
than the duration of the event. This triggers the `now < t3` branch
in interpolate_alpha (if none of the earlier branches are taken).
The same effect can be achieved by setting t3 to the duration itself.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=531.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3905.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11736.
---
 libass/ass_parse.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'libass')

diff --git a/libass/ass_parse.c b/libass/ass_parse.c
index b40cc33..ef5c01f 100644
--- a/libass/ass_parse.c
+++ b/libass/ass_parse.c
@@ -603,7 +603,12 @@ char *parse_tags(ASS_Renderer *render_priv, char *p, char *end, double pwr,
             if (t1 == -1 && t4 == -1) {
                 t1 = 0;
                 t4 = render_priv->state.event->Duration;
-                t3 = t4 - t3;
+                // The value we parsed in t3 is an offset from the event end.
+                // What we really want in t3 is an offset from the event start.
+                // To this end, set t3 to (event duration - parsed value).
+                // If t3 >= t4, the exact value of t3 will not matter,
+                // so clamp it to avoid overflow in the subtraction.
+                t3 = t4 - FFMAX(t3, 0);
             }
             if ((render_priv->state.parsed_tags & PARSED_FADE) == 0) {
                 render_priv->state.fade =
-- 
cgit v1.2.3