avformat/mvdec: Check sample rate in parse_audio_var()

Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long' Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7) Signed-off-by: Michael Niedermayer <[email protected]>
author: Michael Niedermayer <[email protected]> 2021-04-28 16:44:13 +0200
committer: Michael Niedermayer <[email protected]> 2021-06-18 20:53:56 +0200
commit: 5f0c0883c25f398ef23cfbbe82bdd13bb3e3c799 (patch)
tree: c23ec425e1d08da0fddb7e792bdc347c607c12cf
parent: 89d8eae0c618b156361d27200f4629becbdabb1e (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 045c66ac3c..b833abfa19 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st,
         return set_channels(avctx, st, var_read_int(pb, size));
     } else if (!strcmp(name, "SAMPLE_RATE")) {
         st->codecpar->sample_rate = var_read_int(pb, size);
+        if (st->codecpar->sample_rate <= 0)
+            return AVERROR_INVALIDDATA;
         avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate);
     } else if (!strcmp(name, "SAMPLE_WIDTH")) {
         uint64_t bpc = var_read_int(pb, size) * (uint64_t)8;
author	Michael Niedermayer <[email protected]>	2021-04-28 16:44:13 +0200
committer	Michael Niedermayer <[email protected]>	2021-06-18 20:53:56 +0200
commit	5f0c0883c25f398ef23cfbbe82bdd13bb3e3c799 (patch)
tree	c23ec425e1d08da0fddb7e792bdc347c607c12cf
parent	89d8eae0c618b156361d27200f4629becbdabb1e (diff)