avformat/avidec: Fix integer overflow in cum_len check
authorMichael Niedermayer <michael@niedermayer.cc>
Thu, 8 Mar 2018 21:40:50 +0000 (22:40 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 22 Oct 2018 23:44:40 +0000 (01:44 +0200)
Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long'
Fixes: Chromium bug 791237

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/avidec.c

index 1a9563a..efb5d86 100644 (file)
@@ -667,7 +667,7 @@ static int avi_read_header(AVFormatContext *s)
             st->start_time = 0;
             avio_rl32(pb); /* buffer size */
             avio_rl32(pb); /* quality */
-            if (ast->cum_len*ast->scale/ast->rate > 3600) {
+            if (ast->cum_len > 3600LL * ast->rate / ast->scale) {
                 av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n");
                 ast->cum_len = 0;
             }