avformat/mvdec: Fix integer overflow with billions of channels

Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int'
Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 64166a84b1f90c695528b7d8ac9f4c624e6e977f..d5b400213df1b669be2e4875cd42d9ae6b64c9e4 100644 (file)
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -268,7 +268,7 @@ static void read_index(AVIOContext *pb, AVStream *st)
         avio_skip(pb, 8);
         av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME);
         if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) {
-            timestamp += size / (st->codecpar->channels * 2);
+            timestamp += size / (st->codecpar->channels * 2LL);
         } else {
             timestamp++;
         }
@@ -355,7 +355,7 @@ static int mv_read_header(AVFormatContext *avctx)
             avio_skip(pb, 8);
             av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
             av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
-            timestamp += asize / (ast->codecpar->channels * 2);
+            timestamp += asize / (ast->codecpar->channels * 2LL);
         }
     } else if (!version && avio_rb16(pb) == 3) {
         avio_skip(pb, 4);