Module: libav Branch: release/9 Commit: 5046b4810cfec963153f69f535168eac27a13590
Author: Anton Khirnov <[email protected]> Committer: Sean McGovern <[email protected]> Date: Sat Dec 17 15:07:51 2016 +0100 mpeg12: avoid signed overflow in bitrate calculation CC: [email protected] Bug-Id: 981 Found-By: Agostino Sarubbo (cherry picked from commit e807491fc6a336e4becc0cbc981274a8fde18aba) Signed-off-by: Sean McGovern <[email protected]> --- libavcodec/mpeg12.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index e40ef08..a49828e 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1379,8 +1379,17 @@ static void mpeg_decode_sequence_extension(Mpeg1Context *s1) vert_size_ext = get_bits(&s->gb, 2); s->width |= (horiz_size_ext << 12); s->height |= (vert_size_ext << 12); - bit_rate_ext = get_bits(&s->gb, 12); /* XXX: handle it */ - s->bit_rate += (bit_rate_ext << 18) * 400; + + bit_rate_ext = get_bits(&s->gb, 12) << 18; + if (bit_rate_ext < INT_MAX / 400 && + bit_rate_ext * 400 < INT_MAX - s->bit_rate) { + s->bit_rate += bit_rate_ext * 400; + } else { + av_log(s->avctx, AV_LOG_WARNING, "Invalid bit rate extension value: %d\n", + bit_rate_ext >> 18); + s->bit_rate = 0; + } + skip_bits1(&s->gb); /* marker */ s->avctx->rc_buffer_size += get_bits(&s->gb, 8) * 1024 * 16 << 10; _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
