avformat/smacker: fix integer overflow with pts_inc

Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 5 insertions, 0 deletions

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4adafe..de8bbdb07a 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
     smk->height = avio_rl32(pb);
     smk->frames = avio_rl32(pb);
     smk->pts_inc = (int32_t)avio_rl32(pb);
+    if (smk->pts_inc > INT_MAX / 100) {
+        av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+        return AVERROR_INVALIDDATA;
+    }
+
     smk->flags = avio_rl32(pb);
     if(smk->flags & SMACKER_FLAG_RING_FRAME)
         smk->frames++;