lavf: avoid integer overflow in ff_compute_frame_duration()

Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.

CC: libav-stable@libav.org

diff --git a/libavformat/utils.c b/libavformat/utils.c
index ca52469bdb0355f9db22bb2389e3b7895825423a..fc8b770a85b93e0967a1167104871235e58aa23b 100644 (file)
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -725,7 +725,10 @@ void ff_compute_frame_duration(int *pnum, int *pden, AVStream *st,
             *pnum = st->codec->time_base.num;
             *pden = st->codec->time_base.den;
             if (pc && pc->repeat_pict) {
-                *pnum = (*pnum) * (1 + pc->repeat_pict);
+                if (*pnum > INT_MAX / (1 + pc->repeat_pict))
+                    *pden /= 1 + pc->repeat_pict;
+                else
+                    *pnum *= 1 + pc->repeat_pict;
             }
             //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet
             //Thus if we have no parser in such case leave duration undefined.