avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows

This is not necessarily specific to fuzzed files

Fixes: Multiple integer overflows
Fixes: 656/clusterfuzz-testcase-6463814516080640
Fixes: 658/clusterfuzz-testcase-6691260146384896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 76ba09d18245a2a41dc5f93a60fd00cdf358cb1f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 7 insertions, 0 deletions

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 72ced2c4da..5e41da4f98 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -381,6 +381,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
             s->sprite_delta[0][i]  *= 1 << shift_y;
             s->sprite_delta[1][i]  *= 1 << shift_y;
             ctx->sprite_shift[i]     = 16;
+
+            if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX ||
+                llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX ||
+                llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) {
+                avpriv_request_sample(s->avctx, "Overflow on sprite points");
+                return AVERROR_PATCHWELCOME;
+            }
         }
         s->real_sprite_warping_points = ctx->num_sprite_warping_points;
     }