avformat/smacker: fix integer overflow with pts_inc

Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
pull/163/head
Michael Niedermayer 9 years ago
parent 3f46e7bad5
commit 7ed47e9729
  1. 5
      libavformat/smacker.c

@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
smk->height = avio_rl32(pb); smk->height = avio_rl32(pb);
smk->frames = avio_rl32(pb); smk->frames = avio_rl32(pb);
smk->pts_inc = (int32_t)avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb);
if (smk->pts_inc > INT_MAX / 100) {
av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
return AVERROR_INVALIDDATA;
}
smk->flags = avio_rl32(pb); smk->flags = avio_rl32(pb);
if(smk->flags & SMACKER_FLAG_RING_FRAME) if(smk->flags & SMACKER_FLAG_RING_FRAME)
smk->frames++; smk->frames++;

Loading…
Cancel
Save