avcodec/rv60dec: Check ofs for overflows

Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int' Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352 Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2025-06-28 02:21:57 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2025-07-03 23:05:31 +0200
commit: ecbe3e73662b765b1ab0147da105186799ac83c7 (patch)
tree: 9adc95e90a62cffaf1a1f0b5c9cd945f14afc1e7
parent: e68599f551de5a932bd7cb09db66d77ad52464dd (diff)
download: ffmpeg-ecbe3e73662b765b1ab0147da105186799ac83c7.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 6075598861..4a3d9067db 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
     ofs = get_bits_count(&gb) / 8;
 
     for (int i = 0; i < s->cu_height; i++) {
-        if (header_size + ofs >= avpkt->size)
+        if (ofs >= avpkt->size - header_size)
             return AVERROR_INVALIDDATA;
         s->slice[i].data = avpkt->data + header_size + ofs;
         s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
+        if (s->slice[i].size > INT32_MAX - ofs)
+            return AVERROR_INVALIDDATA;
         ofs += s->slice[i].size;
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2025-06-28 02:21:57 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2025-07-03 23:05:31 +0200
commit	ecbe3e73662b765b1ab0147da105186799ac83c7 (patch)
tree	9adc95e90a62cffaf1a1f0b5c9cd945f14afc1e7
parent	e68599f551de5a932bd7cb09db66d77ad52464dd (diff)
download	ffmpeg-ecbe3e73662b765b1ab0147da105186799ac83c7.tar.gz