Module: libav Branch: release/0.8 Commit: 97b94eb77d16cb25a2a601ea9b59fc2ef94c3e05
Author: Anton Khirnov <[email protected]> Committer: Diego Biurrun <[email protected]> Date: Sat Dec 17 15:07:51 2016 +0100 mpegvideo_parser: avoid signed overflow in bitrate calculation Bug-Id: 981 Bug-Id: CVE-2016-9821 Found-By: Agostino Sarubbo (cherry picked from commit 58405de0951a843765625159402870c1eea3c3b1) Signed-off-by: Diego Biurrun <[email protected]> --- libavcodec/mpegvideo_parser.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_parser.c b/libavcodec/mpegvideo_parser.c index 1798f83..93b6c94 100644 --- a/libavcodec/mpegvideo_parser.c +++ b/libavcodec/mpegvideo_parser.c @@ -80,7 +80,14 @@ static void mpegvideo_extract_headers(AVCodecParserContext *s, pc->width |=(horiz_size_ext << 12); pc->height |=( vert_size_ext << 12); - avctx->bit_rate += (bit_rate_ext << 18) * 400; + + bit_rate_ext <<= 18; + if (bit_rate_ext < INT_MAX / 400 && + bit_rate_ext * 400 < INT_MAX - avctx->bit_rate) { + avctx->bit_rate += bit_rate_ext * 400; + } else + avctx->bit_rate = 0; + if(did_set_size) avcodec_set_dimensions(avctx, pc->width, pc->height); avctx->time_base.den = pc->frame_rate.den * (frame_rate_ext_n + 1) * 2; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
