From b7e56970da855639a2efdc9f459e8ad61a0d529a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 14 Feb 2026 01:46:48 +0100
Subject: [PATCH] avcodec/h264_parser: Check pts for overflow

Fixes: signed integer overflow: 9223372036854775807 + 3546086691638400 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 471723681/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4841032488648704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30a6b78bd4f8d49885cb6536ba83c1f51df0c0a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264_parser.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c
index 7cb7733116..0a8086819e 100644
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -631,8 +631,12 @@ static int h264_parse(AVCodecParserContext *s,
                 s->dts = av_sat_add64(p->reference_dts, av_rescale(s->dts_ref_dts_delta, num, den));
             }
 
-            if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE)
-                s->pts = s->dts + av_rescale(s->pts_dts_delta, num, den);
+            if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE) {
+                int64_t pts_dts_delta = av_rescale(s->pts_dts_delta, num, den);
+                uint64_t pts = (uint64_t)s->dts + pts_dts_delta;
+                if (pts == av_sat_add64(s->dts, pts_dts_delta))
+                    s->pts = pts;
+            }
 
             if (s->dts_sync_point > 0)
                 p->reference_dts = s->dts; // new reference