From 76b6c46a81f420ffa04211d4b598547f14b67cb7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 5 Nov 2020 20:04:20 +0100
Subject: [PATCH] avformat/av1dec: check size before addition in probing

Fixes: signed integer overflow: 175 + 2147483571 cannot be represented in type 'int'
Fixes: 26833/clusterfuzz-testcase-minimized-ffmpeg_dem_IMAGE2_fuzzer-5969501214212096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/av1dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c
index 395eef6522..5ae81b34d4 100644
--- a/libavformat/av1dec.c
+++ b/libavformat/av1dec.c
@@ -361,7 +361,7 @@ static int obu_probe(const AVProbeData *p)
         ret = read_obu_with_size(p->buf + cnt, p->buf_size - cnt, &obu_size, &type);
         if (ret < 0 || obu_size <= 0)
             return 0;
-        cnt += ret;
+        cnt += FFMIN(ret, p->buf_size - cnt);
 
         ret = get_score(type, &seq);
         if (ret >= 0)
-- 
GitLab