avformat/wtvdec: Improve size overflow checks in parse_chunks()

Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int
Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 44ca86d517bd3f0fece4953ecaecdf356e13df72..2f1b192ceaa329c1887199746c166da93cfabd0d 100644 (file)
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -809,7 +809,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
-                if (size < 0 || size > INT_MAX - 92)
+                if (size < 0 || size > INT_MAX - 92 - consumed)
                     return AVERROR_INVALIDDATA;
                 parse_media_type(s, 0, sid, mediatype, subtype, formattype, size);
                 consumed += 92 + size;
@@ -825,7 +825,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
-                if (size < 0 || size > INT_MAX - 76)
+                if (size < 0 || size > INT_MAX - 76 - consumed)
                     return AVERROR_INVALIDDATA;
                 parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size);
                 consumed += 76 + size;