From c4b130e876fe9ac5875a2f2480e96de4fdac7760 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 20 Mar 2022 23:32:53 +0100
Subject: avformat/aviobuf: Check buf_size in ffio_ensure_seekback()

buffer_size is an int

Fixes: signed integer overflow: 9223372036854775754 + 32767 cannot be represented in type 'long'
Fixes: 45691/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5263458831040512

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/aviobuf.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libavformat')

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 29d4bd7510..33bc3c2e20 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -1062,6 +1062,9 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size)
     if (buf_size <= s->buf_end - s->buf_ptr)
         return 0;
 
+    if (buf_size > INT_MAX - max_buffer_size)
+        return AVERROR(EINVAL);
+
     buf_size += max_buffer_size - 1;
 
     if (buf_size + s->buf_ptr - s->buffer <= s->buffer_size || s->seekable || !s->read_packet)
-- 
cgit v1.2.3