[PATCH] fixed #2357

Gbp-Pq: Name CVE-2022-47660.patch

diff --git a/src/isomedia/isom_write.c b/src/isomedia/isom_write.c
index 1e3366f03cae23553870bfe43ebf72b81c21c792..7e3de887f8f72beecdeca1039fffd70cafd7d2ca 100644 (file)
--- a/src/isomedia/isom_write.c
+++ b/src/isomedia/isom_write.c
@@ -4605,10 +4605,19 @@ GF_Err gf_isom_shift_cts_offset(GF_ISOFile *the_file, u32 trackNumber, s32 offse
        if (!trak->Media->information->sampleTable->CompositionOffset) return GF_BAD_PARAM;
        if (!trak->Media->information->sampleTable->CompositionOffset->unpack_mode) return GF_BAD_PARAM;
 
-       for (i=0; i<trak->Media->information->sampleTable->CompositionOffset->nb_entries; i++) {
+        GF_CompositionOffsetBox *ctso = trak->Media->information->sampleTable->CompositionOffset;
+        for (i=0; i<ctso->nb_entries; i++) {
+                s64 new_ts = ctso->entries[i].decodingOffset;
+                new_ts -= offset_shift;
                /*we're in unpack mode: one entry per sample*/
-               trak->Media->information->sampleTable->CompositionOffset->entries[i].decodingOffset -= offset_shift;
-       }
+                ctso->entries[i].decodingOffset = (s32) new_ts;
+       }
+        if (trak->Media->mediaHeader->duration >= -offset_shift) {
+                s64 new_dur = trak->Media->mediaHeader->duration;
+                new_dur -= offset_shift;
+                if (new_dur<0) new_dur = 0;
+                trak->Media->mediaHeader->duration = (u32) new_dur;
+        }
        return GF_OK;
 }
 
@@ -6526,7 +6535,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISOFile *file, GF_TrackBox *trak)
                if (shift > 0)
                {
                        for (i=0; i<ctts->nb_entries; i++) {
-                               ctts->entries[i].decodingOffset += shift;
+                               s64 new_ts = ctts->entries[i].decodingOffset;
+                               new_ts += shift;
+                               ctts->entries[i].decodingOffset = (u32) shift;
                        }
                }
        }
@@ -6535,7 +6546,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISOFile *file, GF_TrackBox *trak)
                cslg = trak->Media->information->sampleTable->CompositionToDecode;
                shift = cslg->compositionToDTSShift;
                for (i=0; i<ctts->nb_entries; i++) {
-                       ctts->entries[i].decodingOffset += shift;
+                       s64 new_ts = ctts->entries[i].decodingOffset;
+                       new_ts += shift;
+                       ctts->entries[i].decodingOffset = (u32) shift;
                }
                gf_isom_box_del_parent(&trak->Media->information->sampleTable->child_boxes, (GF_Box *)cslg);
                trak->Media->information->sampleTable->CompositionToDecode = NULL;

diff --git a/src/media_tools/media_import.c b/src/media_tools/media_import.c
index acfb3cfdb9086306e17f6d7034b3bb8bc2a01188..25a58df95ff8e034d9d7b630b6afb70ffbdeba86 100644 (file)
--- a/src/media_tools/media_import.c
+++ b/src/media_tools/media_import.c
@@ -99,7 +99,7 @@ static void gf_media_update_bitrate_ex(GF_ISOFile *file, u32 track, Bool use_esd
 
        br = (Double) (s64) gf_isom_get_media_duration(file, track);
        br /= timescale;
-       if (br) {
+       if (br>0) {
                GF_ESD *esd = NULL;
                if (!csize || !cdur) {
                        bitrate = (u32) ((Double) (s64)avg_rate / br);