mpeg12dec: avoid signed overflow in bitrate calculation

CC: libav-stable@libav.org Bug-Id: 981 Found-By: Agostino Sarubbo
author: Anton Khirnov <anton@khirnov.net> 2016-12-17 15:07:51 +0100
committer: Anton Khirnov <anton@khirnov.net> 2016-12-19 08:15:42 +0100
commit: e807491fc6a336e4becc0cbc981274a8fde18aba (patch)
tree: a7f7cc0f4533752ae197fbbc94d4a63cc16d4059
parent: 58405de0951a843765625159402870c1eea3c3b1 (diff)
download: ffmpeg-e807491fc6a336e4becc0cbc981274a8fde18aba.tar.gz
1 files changed, 11 insertions, 2 deletions
diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index 2d9c99d63f..310169becc 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -1358,8 +1358,17 @@ static void mpeg_decode_sequence_extension(Mpeg1Context *s1)
     vert_size_ext           = get_bits(&s->gb, 2);
     s->width  |= (horiz_size_ext << 12);
     s->height |= (vert_size_ext  << 12);
-    bit_rate_ext = get_bits(&s->gb, 12);  /* XXX: handle it */
-    s->bit_rate += (bit_rate_ext << 18) * 400;
+
+    bit_rate_ext = get_bits(&s->gb, 12) << 18;
+    if (bit_rate_ext < INT_MAX / 400 &&
+        bit_rate_ext * 400 < INT_MAX - s->bit_rate) {
+        s->bit_rate += bit_rate_ext * 400;
+    } else {
+        av_log(s->avctx, AV_LOG_WARNING, "Invalid bit rate extension value: %d\n",
+               bit_rate_ext >> 18);
+        s->bit_rate = 0;
+    }
+
     skip_bits1(&s->gb); /* marker */
     s->avctx->rc_buffer_size += get_bits(&s->gb, 8) * 1024 * 16 << 10;
author	Anton Khirnov <anton@khirnov.net>	2016-12-17 15:07:51 +0100
committer	Anton Khirnov <anton@khirnov.net>	2016-12-19 08:15:42 +0100
commit	e807491fc6a336e4becc0cbc981274a8fde18aba (patch)
tree	a7f7cc0f4533752ae197fbbc94d4a63cc16d4059
parent	58405de0951a843765625159402870c1eea3c3b1 (diff)
download	ffmpeg-e807491fc6a336e4becc0cbc981274a8fde18aba.tar.gz