aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJanne Grunau <janne-libav@jannau.net>2012-11-23 14:05:36 +0100
committerReinhard Tartler <siretart@tauware.de>2013-01-12 19:27:42 +0100
commit10ff052c601368f129466e6de19e9862aaaec7d1 (patch)
tree36b7d2084a038ec7be398f6e46dc684b02f0754f
parentb143844ea0f6246e0d5a938d743e2e8a98453bec (diff)
downloadffmpeg-10ff052c601368f129466e6de19e9862aaaec7d1.tar.gz
lavf: avoid integer overflow in ff_compute_frame_duration()
Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r--libavformat/utils.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 5f3da495fd..be679258a0 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -813,7 +813,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st,
*pnum = st->codec->time_base.num;
*pden = st->codec->time_base.den;
if (pc && pc->repeat_pict) {
- *pnum = (*pnum) * (1 + pc->repeat_pict);
+ if (*pnum > INT_MAX / (1 + pc->repeat_pict))
+ *pden /= 1 + pc->repeat_pict;
+ else
+ *pnum *= 1 + pc->repeat_pict;
}
//If this codec can be interlaced or progressive then we need a parser to compute duration of a packet
//Thus if we have no parser in such case leave duration undefined.