Fixes: signed integer overflow: -
1094995529 * 2 cannot be represented in type 'int'
Fixes:
484567435/clusterfuzz-testcase-minimized-ffmpeg_dem_HXVS_fuzzer-
5628836988649472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
82f097c825237219557a14918b74fa254121a6de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
int64_t top = get_ue_golomb_long(gb) * vert_mult;
int64_t bottom = get_ue_golomb_long(gb) * vert_mult;
+ if (left < 0 || right < 0 || top < 0 || bottom < 0 ||
+ w <= left + right ||
+ h <= top + bottom) {
+ memset(window, 0, sizeof(*window));
+ return AVERROR_INVALIDDATA;
+ }
+
window->left_offset = left;
window->right_offset = right;
window->top_offset = top;