mpegvideo_parser: avoid signed overflow in bitrate calculation
authorAnton Khirnov <anton@khirnov.net>
Sat, 17 Dec 2016 14:07:51 +0000 (15:07 +0100)
committerDiego Biurrun <diego@biurrun.de>
Thu, 12 Jan 2017 10:10:28 +0000 (11:10 +0100)
Bug-Id: 981
Bug-Id: CVE-2016-9821
Found-By: Agostino Sarubbo
(cherry picked from commit 58405de0951a843765625159402870c1eea3c3b1)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
libavcodec/mpegvideo_parser.c

index 1798f83..93b6c94 100644 (file)
@@ -80,7 +80,14 @@ static void mpegvideo_extract_headers(AVCodecParserContext *s,
 
                         pc->width  |=(horiz_size_ext << 12);
                         pc->height |=( vert_size_ext << 12);
-                        avctx->bit_rate += (bit_rate_ext << 18) * 400;
+
+                        bit_rate_ext <<= 18;
+                        if (bit_rate_ext < INT_MAX / 400 &&
+                            bit_rate_ext * 400 < INT_MAX - avctx->bit_rate) {
+                            avctx->bit_rate += bit_rate_ext * 400;
+                        } else
+                            avctx->bit_rate = 0;
+
                         if(did_set_size)
                             avcodec_set_dimensions(avctx, pc->width, pc->height);
                         avctx->time_base.den = pc->frame_rate.den * (frame_rate_ext_n + 1) * 2;