@@ -2885,14 +2885,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
&& total_sample_count > 100
&& sample_duration/10 > duration / total_sample_count)
sample_duration = duration / total_sample_count;
- duration+=(int64_t)sample_duration*sample_count;
+ duration+=(int64_t)sample_duration*(uint64_t)sample_count;
total_sample_count+=sample_count;
}
sc->stts_count = i;
- sc->duration_for_fps += duration;
- sc->nb_frames_for_fps += total_sample_count;
+ if (duration > 0 &&
+ duration <= INT64_MAX - sc->duration_for_fps &&
+ total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+ ) {
+ sc->duration_for_fps += duration;
+ sc->nb_frames_for_fps += total_sample_count;
+ }
if (pb->eof_reached) {
av_log(c->fc, AV_LOG_WARNING, "reached eof, corrupted STTS atom\n");
@@ -4798,8 +4803,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
dts += sample_duration;
offset += sample_size;
sc->data_size += sample_size;
- sc->duration_for_fps += sample_duration;
- sc->nb_frames_for_fps ++;
+
+ if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+ 1 <= INT64_MAX - sc->nb_frames_for_fps
+ ) {
+ sc->duration_for_fps += sample_duration;
+ sc->nb_frames_for_fps ++;
+ }
}
if (i < entries) {
// EOF found before reading all entries. Fix the hole this would