avcodec/mobiclip: Avoid undefined integer overflow in MV computation

Fixes: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
Fixes: 30877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-4775601145774080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c
index e5c6617325c669b07f66f79d901addbd814fc5d6..9392ab947e1202cd1eeca6ab1041477222a2e61a 100644 (file)
--- a/libavcodec/mobiclip.c
+++ b/libavcodec/mobiclip.c
@@ -1091,8 +1091,8 @@ static int predict_motion(AVCodecContext *avctx,
             sidx += 6;
 
         if (index > 0) {
-            mv.x = mv.x + get_se_golomb(gb);
-            mv.y = mv.y + get_se_golomb(gb);
+            mv.x = mv.x + (unsigned)get_se_golomb(gb);
+            mv.y = mv.y + (unsigned)get_se_golomb(gb);
         }
         if (mv.x >= INT_MAX || mv.y >= INT_MAX)
             return AVERROR_INVALIDDATA;