From dfbea7b210ac95e59446f9512b25688df44c108b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 20 Sep 2020 21:23:38 +0200
Subject: [PATCH] avformat/moflex: Check pop_int() for overflow

Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/moflex.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/moflex.c b/libavformat/moflex.c
index 2111157408..937f63cb63 100644
--- a/libavformat/moflex.c
+++ b/libavformat/moflex.c
@@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
 
         if (ret < 0)
             return ret;
+        if (ret > INT_MAX - value - value)
+            return AVERROR_INVALIDDATA;
         value = 2 * value + ret;
     }