[FFmpeg-cvslog] avformat/moflex: Check pop_int() for overflow

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 20 21:23:38 2020 +0200| [dfbea7b210ac95e59446f9512b25688df44c108b] | committer: Michael Niedermayer

avformat/moflex: Check pop_int() for overflow

Fixes: signed integer overflow: 2 * 2132811776 cannot be represented in type 'int'
Fixes: 25722/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6221704077246464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dfbea7b210ac95e59446f9512b25688df44c108b
---

 libavformat/moflex.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/moflex.c b/libavformat/moflex.c
index 2111157408..937f63cb63 100644
--- a/libavformat/moflex.c
+++ b/libavformat/moflex.c
@@ -62,6 +62,8 @@ static int pop_int(BitReader *br, AVIOContext *pb, int n)
 
         if (ret < 0)
             return ret;
+        if (ret > INT_MAX - value - value)
+            return AVERROR_INVALIDDATA;
         value = 2 * value + ret;
     }