From 3629a0771042306d831a8e6bd0a6399e2b2e57ee Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Sat, 17 Dec 2022 12:28:51 +0100
Subject: [PATCH] [PATCH] fixed #2357

Gbp-Pq: Name CVE-2022-47660.patch
---
 src/isomedia/isom_write.c      | 23 ++++++++++++++++++-----
 src/media_tools/media_import.c |  2 +-
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/isomedia/isom_write.c b/src/isomedia/isom_write.c
index 1e3366f..7e3de88 100644
--- a/src/isomedia/isom_write.c
+++ b/src/isomedia/isom_write.c
@@ -4605,10 +4605,19 @@ GF_Err gf_isom_shift_cts_offset(GF_ISOFile *the_file, u32 trackNumber, s32 offse
 	if (!trak->Media->information->sampleTable->CompositionOffset) return GF_BAD_PARAM;
 	if (!trak->Media->information->sampleTable->CompositionOffset->unpack_mode) return GF_BAD_PARAM;
 
-	for (i=0; i<trak->Media->information->sampleTable->CompositionOffset->nb_entries; i++) {
+        GF_CompositionOffsetBox *ctso = trak->Media->information->sampleTable->CompositionOffset;
+        for (i=0; i<ctso->nb_entries; i++) {
+                s64 new_ts = ctso->entries[i].decodingOffset;
+                new_ts -= offset_shift;
 		/*we're in unpack mode: one entry per sample*/
-		trak->Media->information->sampleTable->CompositionOffset->entries[i].decodingOffset -= offset_shift;
-	}
+                ctso->entries[i].decodingOffset = (s32) new_ts;
+	}
+        if (trak->Media->mediaHeader->duration >= -offset_shift) {
+                s64 new_dur = trak->Media->mediaHeader->duration;
+                new_dur -= offset_shift;
+                if (new_dur<0) new_dur = 0;
+                trak->Media->mediaHeader->duration = (u32) new_dur;
+        }
 	return GF_OK;
 }
 
@@ -6526,7 +6535,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISOFile *file, GF_TrackBox *trak)
 		if (shift > 0)
 		{
 			for (i=0; i<ctts->nb_entries; i++) {
-				ctts->entries[i].decodingOffset += shift;
+				s64 new_ts = ctts->entries[i].decodingOffset;
+				new_ts += shift;
+				ctts->entries[i].decodingOffset = (u32) shift;
 			}
 		}
 	}
@@ -6535,7 +6546,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISOFile *file, GF_TrackBox *trak)
 		cslg = trak->Media->information->sampleTable->CompositionToDecode;
 		shift = cslg->compositionToDTSShift;
 		for (i=0; i<ctts->nb_entries; i++) {
-			ctts->entries[i].decodingOffset += shift;
+			s64 new_ts = ctts->entries[i].decodingOffset;
+			new_ts += shift;
+			ctts->entries[i].decodingOffset = (u32) shift;
 		}
 		gf_isom_box_del_parent(&trak->Media->information->sampleTable->child_boxes, (GF_Box *)cslg);
 		trak->Media->information->sampleTable->CompositionToDecode = NULL;
diff --git a/src/media_tools/media_import.c b/src/media_tools/media_import.c
index acfb3cf..25a58df 100644
--- a/src/media_tools/media_import.c
+++ b/src/media_tools/media_import.c
@@ -99,7 +99,7 @@ static void gf_media_update_bitrate_ex(GF_ISOFile *file, u32 track, Bool use_esd
 
 	br = (Double) (s64) gf_isom_get_media_duration(file, track);
 	br /= timescale;
-	if (br) {
+	if (br>0) {
 		GF_ESD *esd = NULL;
 		if (!csize || !cdur) {
 			bitrate = (u32) ((Double) (s64)avg_rate / br);
-- 
2.30.2