avcodec/exr: Check col/line for integer overflow

Fixes: signed integer overflow: -2272 + -2147483360 cannot be represented in type 'int' Fixes: 30009/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5005660322398208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-02-01 21:24:50 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-03-13 21:02:31 +0100
commit: 312bcdbfc13227de9e4c3f9e38541b05c84a0639 (patch)
tree: d51083725e56b1d184bd8826d99f7d1a231eb28c /libavcodec/exr.c
parent: c281d84b2020aebfa4120c0a2bf645ac8824aff6 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 8a714c1a3a..279cfe9412 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1214,6 +1214,11 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
             return AVERROR_PATCHWELCOME;
         }
 
+        if (tile_x && s->tile_attr.xSize + (int64_t)FFMAX(s->xmin, 0) >= INT_MAX / tile_x )
+            return AVERROR_INVALIDDATA;
+        if (tile_y && s->tile_attr.ySize + (int64_t)FFMAX(s->ymin, 0) >= INT_MAX / tile_y )
+            return AVERROR_INVALIDDATA;
+
         line = s->ymin + s->tile_attr.ySize * tile_y;
         col = s->tile_attr.xSize * tile_x;
author	Michael Niedermayer <michael@niedermayer.cc>	2021-02-01 21:24:50 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-03-13 21:02:31 +0100
commit	312bcdbfc13227de9e4c3f9e38541b05c84a0639 (patch)
tree	d51083725e56b1d184bd8826d99f7d1a231eb28c /libavcodec/exr.c
parent	c281d84b2020aebfa4120c0a2bf645ac8824aff6 (diff)