avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN()

Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 26218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5734075396259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-13 23:01:38 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-20 15:33:13 +0200
commit: 939b72b02e40a7db440b68f31ab23bd550785344 (patch)
tree: 9db85fe5bd61c4733bc1a2eb513b719b0b085398 /libavcodec/decode.c
parent: bc9686c85beb15cb87d492bfbea03c91d5317a11 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/decode.c b/libavcodec/decode.c
index 257abc7de4..5a1849f944 100644
--- a/libavcodec/decode.c
+++ b/libavcodec/decode.c
@@ -1883,7 +1883,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
     int ret;
 
     if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) {
-        if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
+        if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN ||
+            (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) {
             av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n");
             ret = AVERROR(EINVAL);
             goto fail;
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-13 23:01:38 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-20 15:33:13 +0200
commit	939b72b02e40a7db440b68f31ab23bd550785344 (patch)
tree	9db85fe5bd61c4733bc1a2eb513b719b0b085398 /libavcodec/decode.c
parent	bc9686c85beb15cb87d492bfbea03c91d5317a11 (diff)