avformat/bintext: Check width in idf_read_header()

Fixes: division by 0
Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/bintext.c b/libavformat/bintext.c
index 7dab5f377d5d8218275afa43dc3066545294f708..144b4172af32c9e5963c8db50432bc823c7e14cf 100644 (file)
--- a/libavformat/bintext.c
+++ b/libavformat/bintext.c
@@ -344,6 +344,8 @@ static int idf_read_header(AVFormatContext *s)
 
     bin->fsize = avio_size(pb) - 12 - 4096 - 48;
     ff_sauce_read(s, &bin->fsize, &got_width, 0);
+    if (st->codecpar->width < 8)
+        return AVERROR_INVALIDDATA;
     if (!bin->width)
         calculate_height(st->codecpar, bin->fsize);
     avio_seek(pb, 12, SEEK_SET);