Module: libav Branch: release/0.8 Commit: 94e2850644379cd1dad0829ac991ceedbe50b9ea
Author: Anton Khirnov <[email protected]> Committer: Diego Biurrun <[email protected]> Date: Sat Dec 17 15:07:51 2016 +0100 mpeg12dec: avoid signed overflow in bitrate calculation CC: [email protected] Bug-Id: 981 Bug-Id: CVE-2016-9822 Found-By: Agostino Sarubbo (cherry picked from commit e807491fc6a336e4becc0cbc981274a8fde18aba) Signed-off-by: Diego Biurrun <[email protected]> --- libavcodec/mpeg12.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 4db2753..aa6e9e8 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1378,8 +1378,17 @@ static void mpeg_decode_sequence_extension(Mpeg1Context *s1) vert_size_ext = get_bits(&s->gb, 2); s->width |= (horiz_size_ext << 12); s->height |= (vert_size_ext << 12); - bit_rate_ext = get_bits(&s->gb, 12); /* XXX: handle it */ - s->bit_rate += (bit_rate_ext << 18) * 400; + + bit_rate_ext = get_bits(&s->gb, 12) << 18; + if (bit_rate_ext < INT_MAX / 400 && + bit_rate_ext * 400 < INT_MAX - s->bit_rate) { + s->bit_rate += bit_rate_ext * 400; + } else { + av_log(s->avctx, AV_LOG_WARNING, "Invalid bit rate extension value: %d\n", + bit_rate_ext >> 18); + s->bit_rate = 0; + } + skip_bits1(&s->gb); /* marker */ s->avctx->rc_buffer_size += get_bits(&s->gb, 8) * 1024 * 16 << 10; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
