lavf: avoid integer overflow in ff_compute_frame_duration()

Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Janne Grunau <janne-libav@jannau.net> 2012-11-23 14:05:36 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2013-01-12 17:59:39 +0100
commit: d282e5ce7286eab3bc4f5cbfe81a74551bd31006 (patch)
tree: 22c7f6dbf1ebc7511f0d7220abe90bf0c0a56059
parent: a4a63bf5b55f9b42b752301ae417ee3f50f5a594 (diff)
download: ffmpeg-d282e5ce7286eab3bc4f5cbfe81a74551bd31006.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 240cd94925..9dc1dcb2c6 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -838,7 +838,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st,
             *pnum = st->codec->time_base.num;
             *pden = st->codec->time_base.den;
             if (pc && pc->repeat_pict) {
-                *pnum = (*pnum) * (1 + pc->repeat_pict);
+                if (*pnum > INT_MAX / (1 + pc->repeat_pict))
+                    *pden /= 1 + pc->repeat_pict;
+                else
+                    *pnum *= 1 + pc->repeat_pict;
             }
             //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet
             //Thus if we have no parser in such case leave duration undefined.
author	Janne Grunau <janne-libav@jannau.net>	2012-11-23 14:05:36 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2013-01-12 17:59:39 +0100
commit	d282e5ce7286eab3bc4f5cbfe81a74551bd31006 (patch)
tree	22c7f6dbf1ebc7511f0d7220abe90bf0c0a56059
parent	a4a63bf5b55f9b42b752301ae417ee3f50f5a594 (diff)
download	ffmpeg-d282e5ce7286eab3bc4f5cbfe81a74551bd31006.tar.gz