avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot...

[ffmpeg] / libavcodec / fmvc.c

diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c
index 1f8b0c5c17ca32edb89f4154a6b71ad2b868daf4..2368e95f29c900e9d756de9dc317cd9969ad1b6a 100644 (file)
--- a/libavcodec/fmvc.c
+++ b/libavcodec/fmvc.c
@@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
             int size, offset, start = 0;
 
             offset = bytestream2_get_le16(gb);
-            if (offset > s->nb_blocks)
+            if (offset >= s->nb_blocks)
                 return AVERROR_INVALIDDATA;
 
             size = bytestream2_get_le16(gb);
@@ -561,6 +561,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
     }
 
     s->nb_blocks = s->xb * s->yb;
+    if (!s->nb_blocks)
+        return AVERROR_INVALIDDATA;
+
     s->blocks = av_calloc(s->nb_blocks, sizeof(*s->blocks));
     if (!s->blocks)
         return AVERROR(ENOMEM);