avcodec/cfhd: Check that cropped size is smaller than full

Fixes: signed integer overflow: 57342 * 120830 cannot be represented in type 'int'
Fixes: 16426/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5758744817827840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index 27eed415d19fcf28e277a39e04ba156a1c9ce603..b4d6b25cbc0d3cd432ddf751813ca8975d521889 100644 (file)
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -625,8 +625,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             ret = ff_set_dimensions(avctx, s->coded_width, s->coded_height);
             if (ret < 0)
                 return ret;
-            if (s->cropped_height)
-                avctx->height = s->cropped_height << (avctx->pix_fmt == AV_PIX_FMT_BAYER_RGGB16);
+            if (s->cropped_height) {
+                unsigned height = s->cropped_height << (avctx->pix_fmt == AV_PIX_FMT_BAYER_RGGB16);
+                if (avctx->height < height)
+                    return AVERROR_INVALIDDATA;
+                avctx->height = height;
+            }
             frame.f->width =
             frame.f->height = 0;