From 58405de0951a843765625159402870c1eea3c3b1 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 17 Dec 2016 15:07:51 +0100
Subject: [PATCH 1/2] mpegvideo_parser: avoid signed overflow in bitrate
 calculation

CC: libav-stable@libav.org
Bug-Id: 981
Found-By: Agostino Sarubbo
---
 libavcodec/mpegvideo_parser.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mpegvideo_parser.c b/libavcodec/mpegvideo_parser.c
index 27f2985509..500d1240ef 100644
--- a/libavcodec/mpegvideo_parser.c
+++ b/libavcodec/mpegvideo_parser.c
@@ -97,7 +97,14 @@ static void mpegvideo_extract_headers(AVCodecParserContext *s,
 
                         pc->width  |=(horiz_size_ext << 12);
                         pc->height |=( vert_size_ext << 12);
-                        avctx->bit_rate += (bit_rate_ext << 18) * 400;
+
+                        bit_rate_ext <<= 18;
+                        if (bit_rate_ext < INT_MAX / 400 &&
+                            bit_rate_ext * 400 < INT_MAX - avctx->bit_rate) {
+                            avctx->bit_rate += bit_rate_ext * 400;
+                        } else
+                            avctx->bit_rate = 0;
+
                         if(did_set_size)
                             ff_set_dimensions(avctx, pc->width, pc->height);
                         avctx->framerate.num = pc->frame_rate.num * (frame_rate_ext_n + 1) * 2;

From e807491fc6a336e4becc0cbc981274a8fde18aba Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 17 Dec 2016 15:07:51 +0100
Subject: [PATCH 2/2] mpeg12dec: avoid signed overflow in bitrate calculation

CC: libav-stable@libav.org
Bug-Id: 981
Found-By: Agostino Sarubbo
---
 libavcodec/mpeg12dec.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index 2d9c99d63f..310169becc 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -1358,8 +1358,17 @@ static void mpeg_decode_sequence_extension(Mpeg1Context *s1)
     vert_size_ext           = get_bits(&s->gb, 2);
     s->width  |= (horiz_size_ext << 12);
     s->height |= (vert_size_ext  << 12);
-    bit_rate_ext = get_bits(&s->gb, 12);  /* XXX: handle it */
-    s->bit_rate += (bit_rate_ext << 18) * 400;
+
+    bit_rate_ext = get_bits(&s->gb, 12) << 18;
+    if (bit_rate_ext < INT_MAX / 400 &&
+        bit_rate_ext * 400 < INT_MAX - s->bit_rate) {
+        s->bit_rate += bit_rate_ext * 400;
+    } else {
+        av_log(s->avctx, AV_LOG_WARNING, "Invalid bit rate extension value: %d\n",
+               bit_rate_ext >> 18);
+        s->bit_rate = 0;
+    }
+
     skip_bits1(&s->gb); /* marker */
     s->avctx->rc_buffer_size += get_bits(&s->gb, 8) * 1024 * 16 << 10;