avcodec/wcmv: Fix integer overflows

Fixes: signed integer overflow: 262140 * 65535 cannot be represented in type 'int' Fixes: 10090/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5691269368512512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-09-25 02:01:58 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-09-30 22:23:02 +0200
commit: a8a98ba9eeedc0c4b5d95e3b61840174cd254bca (patch)
tree: ce2c1d47348dde6095cf01725c8a94b1ce99faf1 /libavcodec/wcmv.c
parent: 2076e11839b35c62e28642dcf71c95304af9222f (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/wcmv.c b/libavcodec/wcmv.c
index 384ceecd32..ebd5ef66f4 100644
--- a/libavcodec/wcmv.c
+++ b/libavcodec/wcmv.c
@@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx,
             bytestream2_skip(&bgb, 4);
             w = bytestream2_get_le16(&bgb);
             h = bytestream2_get_le16(&bgb);
+            if (x + bpp * (int64_t)w * h > INT_MAX)
+                return AVERROR_INVALIDDATA;
             x += bpp * w * h;
         }
 
@@ -140,6 +142,8 @@ static int decode_frame(AVCodecContext *avctx,
             bytestream2_skip(&gb, 4);
             w = bytestream2_get_le16(&gb);
             h = bytestream2_get_le16(&gb);
+            if (x + bpp * (int64_t)w * h > INT_MAX)
+                return AVERROR_INVALIDDATA;
             x += bpp * w * h;
         }
author	Michael Niedermayer <michael@niedermayer.cc>	2018-09-25 02:01:58 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-09-30 22:23:02 +0200
commit	a8a98ba9eeedc0c4b5d95e3b61840174cd254bca (patch)
tree	ce2c1d47348dde6095cf01725c8a94b1ce99faf1 /libavcodec/wcmv.c
parent	2076e11839b35c62e28642dcf71c95304af9222f (diff)