avcodec/wcmv: Fix integer overflows

Fixes: signed integer overflow: 262140 * 65535 cannot be represented in type 'int'
Fixes: 10090/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5691269368512512
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/wcmv.c b/libavcodec/wcmv.c
index 384ceecd32f13b353a197e8d6f2c6405a0c6c30e..ebd5ef66f4af98dc08fd04d89cde51427989e237 100644 (file)
--- a/libavcodec/wcmv.c
+++ b/libavcodec/wcmv.c
@@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx,
             bytestream2_skip(&bgb, 4);
             w = bytestream2_get_le16(&bgb);
             h = bytestream2_get_le16(&bgb);
+            if (x + bpp * (int64_t)w * h > INT_MAX)
+                return AVERROR_INVALIDDATA;
             x += bpp * w * h;
         }
 
@@ -140,6 +142,8 @@ static int decode_frame(AVCodecContext *avctx,
             bytestream2_skip(&gb, 4);
             w = bytestream2_get_le16(&gb);
             h = bytestream2_get_le16(&gb);
+            if (x + bpp * (int64_t)w * h > INT_MAX)
+                return AVERROR_INVALIDDATA;
             x += bpp * w * h;
         }