[FFmpeg-cvslog] smacker: fix integer overflow with pts_inc

Sat Nov 11 20:22:43 EET 2017

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 24 12:58:42 2017 +0200| [ec683ed527cef9aad208d1daeb10d0e7fb63e75e] | committer: Sean McGovern

smacker: fix integer overflow with pts_inc

Bug-Id: 1073

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Sean McGovern <gseanmcg at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec683ed527cef9aad208d1daeb10d0e7fb63e75e
---

 libavformat/smacker.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 56c909bc06..304e746a91 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -117,6 +117,11 @@ static int smacker_read_header(AVFormatContext *s)
     smk->height = avio_rl32(pb);
     smk->frames = avio_rl32(pb);
     smk->pts_inc = (int32_t)avio_rl32(pb);
+    if (smk->pts_inc > INT_MAX / 100) {
+        av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+        return AVERROR_INVALIDDATA;
+    }
+
     smk->flags = avio_rl32(pb);
     if(smk->flags & SMACKER_FLAG_RING_FRAME)
         smk->frames++;

