[CVE patch] CVE-2016-2636 in libav version 11.7

 - asfenc: fix some possible integer overflows (CVE-2016-2326)

Change-Id: I9904997efff6a91ed4c74d4135611c04a63e637f
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>

diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c
index 4ae52bd..4cd1a4a 100644 (file)
--- a/libavformat/asfenc.c
+++ b/libavformat/asfenc.c
@@ -410,7 +410,7 @@ static int asf_write_header1(AVFormatContext *s, int64_t file_size,
     avio_wl64(pb, unix_to_file_time(file_time));
     avio_wl64(pb, asf->nb_packets); /* number of packets */
     avio_wl64(pb, play_duration); /* end time stamp (in 100ns units) */
-    avio_wl64(pb, send->duration); /* duration (in 100ns units) */
+    avio_wl64(pb, send_duration); /* duration (in 100ns units) */
     avio_wl64(pb, PREROLL_TIME); /* start time stamp */
     avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2);  /* ??? */
     avio_wl32(pb, s->packet_size); /* packet size */
@@ -869,10 +869,6 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt)
             return AVERROR(ERANGE);
 
         start_sec = pts / 1000;
-        if (start_sec != asf->last_indexed_pts / 1000) {        if (pts / 1000LL > INT_MAX)
-            return AVERROR(ERANGE);
-
-        start_sec = pts / 1000;
         if (start_sec != asf->last_indexed_pts / 1000) {
             for (i = asf->nb_index_count; i < start_sec; i++) {
                 if (i >= asf->nb_index_memory_alloc) {