avformat/dxa: avoid bpc overflows

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93db0f0740)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2022-09-17 22:40:47 +02:00
parent 2dacd939ac
commit c91ed5ee63
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64

View File

@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s)
if(tag == MKTAG('d', 'a', 't', 'a')) break;
avio_skip(pb, fsize);
}
c->bpc = (fsize + c->frames - 1) / c->frames;
if(ast->codecpar->block_align)
c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames;
if(ast->codecpar->block_align) {
if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
return AVERROR_INVALIDDATA;
c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
}
c->bytes_left = fsize;
c->wavpos = avio_tell(pb);
avio_seek(pb, c->vidpos, SEEK_SET);