avformat/utils: Check rfps_duration_sum for overflow

Fixes: signed integer overflow: 9151595917793558550 + 297519050751678697 cannot be represented in type 'long' Fixes: 15496/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5722866475073536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5c46fdf305caac8bf2f270e69e60ae3d614df468) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-07-04 23:01:19 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-12-02 19:41:48 +0100
commit: 73556665ec90349e4ef431309c8bc63f5dd5fbef (patch)
tree: b433d523eeedd659b37bc82ed6a1761f52376029
parent: 9ad8710d1cdd0469c522be8b6349112ff3a23d6d (diff)
download: ffmpeg-73556665ec90349e4ef431309c8bc63f5dd5fbef.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c
index b0d330ba9f..bc0dd21f09 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3002,8 +3002,10 @@ int ff_rfps_add_frame(AVFormatContext *ic, AVStream *st, int64_t ts)
                 }
             }
         }
-        st->info->duration_count++;
-        st->info->rfps_duration_sum += duration;
+        if (st->info->rfps_duration_sum <= INT64_MAX - duration) {
+            st->info->duration_count++;
+            st->info->rfps_duration_sum += duration;
+        }
 
         if (st->info->duration_count % 10 == 0) {
             int n = st->info->duration_count;
author	Michael Niedermayer <michael@niedermayer.cc>	2019-07-04 23:01:19 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-12-02 19:41:48 +0100
commit	73556665ec90349e4ef431309c8bc63f5dd5fbef (patch)
tree	b433d523eeedd659b37bc82ed6a1761f52376029
parent	9ad8710d1cdd0469c522be8b6349112ff3a23d6d (diff)
download	ffmpeg-73556665ec90349e4ef431309c8bc63f5dd5fbef.tar.gz