Vorbis-in-Ogg: Do not set timebase to invalid values

Avoids an assert when the sample rate is invalid and the timebase
is thus set to e.g. 1/0.
Sample file is http://samples.mplayerhq.hu/ogg/fuzzed-srate-crash.ogg

This is a quick fix for a crash, not a final solution.

Signed-off-by: Mans Rullgard <mans@mansr.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index cdb0266eee..d743d25e2d 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -221,6 +221,7 @@ vorbis_header (AVFormatContext * s, int idx)
     if (os->buf[os->pstart] == 1) {
         const uint8_t *p = os->buf + os->pstart + 7; /* skip "\001vorbis" tag */
         unsigned blocksize, bs0, bs1;
+        int srate;
 
         if (os->psize != 30)
             return -1;
@@ -229,7 +230,7 @@ vorbis_header (AVFormatContext * s, int idx)
             return -1;
 
         st->codec->channels = bytestream_get_byte(&p);
-        st->codec->sample_rate = bytestream_get_le32(&p);
+        srate = bytestream_get_le32(&p);
         p += 4; // skip maximum bitrate
         st->codec->bit_rate = bytestream_get_le32(&p); // nominal bitrate
         p += 4; // skip minimum bitrate
@@ -249,8 +250,11 @@ vorbis_header (AVFormatContext * s, int idx)
         st->codec->codec_type = AVMEDIA_TYPE_AUDIO;
         st->codec->codec_id = CODEC_ID_VORBIS;
 
-        st->time_base.num = 1;
-        st->time_base.den = st->codec->sample_rate;
+        if (srate > 0) {
+            st->codec->sample_rate = srate;
+            st->time_base.num = 1;
+            st->time_base.den = srate;
+        }
     } else if (os->buf[os->pstart] == 3) {
         if (os->psize > 8)
             ff_vorbis_comment (s, &st->metadata, os->buf + os->pstart + 7, os->psize - 8);