From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 19 Apr 2021 18:23:41 +0000 (+0200)
Subject: avformat/wtvdec: Improve size overflow checks in parse_chunks()
X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=f8ec1da8ac8e3daf2403e744f166ea9557b2d333;p=ffmpeg

avformat/wtvdec: Improve size overflow checks in parse_chunks()

Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int
Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---

diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 44ca86d517b..2f1b192ceaa 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -809,7 +809,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
-                if (size < 0 || size > INT_MAX - 92)
+                if (size < 0 || size > INT_MAX - 92 - consumed)
                     return AVERROR_INVALIDDATA;
                 parse_media_type(s, 0, sid, mediatype, subtype, formattype, size);
                 consumed += 92 + size;
@@ -825,7 +825,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p
                 avio_skip(pb, 12);
                 ff_get_guid(pb, &formattype);
                 size = avio_rl32(pb);
-                if (size < 0 || size > INT_MAX - 76)
+                if (size < 0 || size > INT_MAX - 76 - consumed)
                     return AVERROR_INVALIDDATA;
                 parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size);
                 consumed += 76 + size;