mpeg12dec: avoid signed overflow in bitrate calculation
authorAnton Khirnov <anton@khirnov.net>
Sat, 17 Dec 2016 14:07:51 +0000 (15:07 +0100)
committerDiego Biurrun <diego@biurrun.de>
Thu, 12 Jan 2017 10:10:57 +0000 (11:10 +0100)
CC: libav-stable@libav.org
Bug-Id: 981
Bug-Id: CVE-2016-9822
Found-By: Agostino Sarubbo
(cherry picked from commit e807491fc6a336e4becc0cbc981274a8fde18aba)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
libavcodec/mpeg12.c

index 4db2753..aa6e9e8 100644 (file)
@@ -1378,8 +1378,17 @@ static void mpeg_decode_sequence_extension(Mpeg1Context *s1)
     vert_size_ext           = get_bits(&s->gb, 2);
     s->width  |= (horiz_size_ext << 12);
     s->height |= (vert_size_ext  << 12);
-    bit_rate_ext = get_bits(&s->gb, 12);  /* XXX: handle it */
-    s->bit_rate += (bit_rate_ext << 18) * 400;
+
+    bit_rate_ext = get_bits(&s->gb, 12) << 18;
+    if (bit_rate_ext < INT_MAX / 400 &&
+        bit_rate_ext * 400 < INT_MAX - s->bit_rate) {
+        s->bit_rate += bit_rate_ext * 400;
+    } else {
+        av_log(s->avctx, AV_LOG_WARNING, "Invalid bit rate extension value: %d\n",
+               bit_rate_ext >> 18);
+        s->bit_rate = 0;
+    }
+
     skip_bits1(&s->gb); /* marker */
     s->avctx->rc_buffer_size += get_bits(&s->gb, 8) * 1024 * 16 << 10;