avformat/cdxl: Fix integer overflow in intermediate

Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
5c5575c8 · Michael Niedermayer · 9fac2437 · 5c5575c8
Commit 5c5575c8 authored Aug 30, 2019 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

cdxl.c libavformat/cdxl.c +2 -1

No files found.
--- a/libavformat/cdxl.c
+++ b/libavformat/cdxl.c
@@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
    height       = AV_RB16(&cdxl->header[16]);
    palette_size = AV_RB16(&cdxl->header[20]);
    audio_size   = AV_RB16(&cdxl->header[22]);
-    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+    if (cdxl->header[19] == 0 ||
+        FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
        return AVERROR_INVALIDDATA;
    if (format == 0x20)
        image_size = width * height * cdxl->header[19] / 8;