aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2015-12-05 13:06:16 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2015-12-06 02:08:26 +0100
commitc108dfc6ccd81002dc5d9dd3e7dc996eb3df4d9a (patch)
treeb05e6621e8eb10ee113f338fda70bd41d148dce3
parentf41c1d3bfeca1b9dfbf2c3735f0f2f3ed6591632 (diff)
downloadffmpeg-c108dfc6ccd81002dc5d9dd3e7dc996eb3df4d9a.tar.gz
avformat/smacker: fix integer overflow with pts_inc
Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavformat/smacker.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4adafe..de8bbdb07a 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
smk->height = avio_rl32(pb);
smk->frames = avio_rl32(pb);
smk->pts_inc = (int32_t)avio_rl32(pb);
+ if (smk->pts_inc > INT_MAX / 100) {
+ av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+ return AVERROR_INVALIDDATA;
+ }
+
smk->flags = avio_rl32(pb);
if(smk->flags & SMACKER_FLAG_RING_FRAME)
smk->frames++;