From patchwork Fri Dec  4 00:07:04 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 24336
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id A443944A173
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri,  4 Dec 2020 02:08:16 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 92895689ADE;
	Fri,  4 Dec 2020 02:08:16 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B048F687FFE
 for <ffmpeg-devel@ffmpeg.org>; Fri,  4 Dec 2020 02:08:08 +0200 (EET)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kkyds-0003TV-0H
 for ffmpeg-devel@ffmpeg.org; Fri, 04 Dec 2020 01:08:08 +0100
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id kyctkqpLPO4rAkyctk7Ty3; Fri, 04 Dec 2020 01:07:08 +0100
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=RNDN4Lq+ c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=e0wv8Vz6eb8dD7PI4zQA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  4 Dec 2020 01:07:04 +0100
Message-Id: <20201204000707.7805-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfKaifQNWSrYBlzT90FXANdN4KqxeHMO4runwyM6TVOIC3Jvtw23jNHIpzxg/VtdtWHTumPLrb1QMSWA6EB0KTLo7AjXIzU8IyfcGFSCVmXa9VcpM+rkC
 /d7hRG6Xo581Tf/WfE1Tft2h/QoYIMSNKbvvCUsPp2UxxLuXdK7DJLzP
Subject: [FFmpeg-devel] [PATCH 1/4] avcodec/cdgraphics: Check frame before
	clearing
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: null pointer dereference
Fixes: 27730/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-6212402236096512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cdgraphics.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index 965f43684a..263459d0f2 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -369,6 +369,9 @@ static void cdg_decode_flush(AVCodecContext *avctx)
 {
     CDGraphicsContext *cc = avctx->priv_data;
 
+    if (!cc->frame->data[0])
+        return;
+
     memset(cc->frame->data[0], 0, cc->frame->linesize[0] * avctx->height);
     if (!avctx->frame_number)
         memset(cc->frame->data[1], 0, AVPALETTE_SIZE);

From patchwork Fri Dec  4 00:07:05 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 24335
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id F1C8644A173
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri,  4 Dec 2020 02:08:15 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CB935689B09;
	Fri,  4 Dec 2020 02:08:15 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B2DFC689A09
 for <ffmpeg-devel@ffmpeg.org>; Fri,  4 Dec 2020 02:08:08 +0200 (EET)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kkyds-0003TW-0H
 for ffmpeg-devel@ffmpeg.org; Fri, 04 Dec 2020 01:08:08 +0100
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id kycukqpMhO4rAkycuk7TyP; Fri, 04 Dec 2020 01:07:08 +0100
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=RNDN4Lq+ c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=O6ZYl-k3c0boSx_qv7AA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  4 Dec 2020 01:07:05 +0100
Message-Id: <20201204000707.7805-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201204000707.7805-1-michael@niedermayer.cc>
References: <20201204000707.7805-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKaifQNWSrYBlzT90FXANdN4KqxeHMO4runwyM6TVOIC3Jvtw23jNHIpzxg/VtdtWHTumPLrb1QMSWA6EB0KTLo7AjXIzU8IyfcGFSCVmXa9VcpM+rkC
 /d7hRG6Xo581Tf/WfE1Tft2h/QoYIMSNKbvvCUsPp2UxxLuXdK7DJLzP
Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/rasc: Check frame before clearing
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: null pointer dereference
Fixes: 27737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5769028685266944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rasc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c
index cdf20a6db9..706940bf5f 100644
--- a/libavcodec/rasc.c
+++ b/libavcodec/rasc.c
@@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame)
     RASCContext *s = avctx->priv_data;
     uint8_t *dst = frame->data[0];
 
+    if (!dst)
+        return;
+
     for (int y = 0; y < avctx->height; y++) {
         memset(dst, 0, avctx->width * s->bpp);
         dst += frame->linesize[0];

From patchwork Fri Dec  4 00:07:06 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 24338
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 6725A44A173
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri,  4 Dec 2020 02:08:18 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5917C689C5C;
	Fri,  4 Dec 2020 02:08:18 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
 (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4E490689A09
 for <ffmpeg-devel@ffmpeg.org>; Fri,  4 Dec 2020 02:08:09 +0200 (EET)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kkyds-0001VD-0H
 for ffmpeg-devel@ffmpeg.org; Fri, 04 Dec 2020 01:08:08 +0100
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id kycukqpMtO4rAkycuk7TyU; Fri, 04 Dec 2020 01:07:08 +0100
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=RNDN4Lq+ c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=oSNYjDZHIcvM2JDD5PMA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  4 Dec 2020 01:07:06 +0100
Message-Id: <20201204000707.7805-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201204000707.7805-1-michael@niedermayer.cc>
References: <20201204000707.7805-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKaifQNWSrYBlzT90FXANdN4KqxeHMO4runwyM6TVOIC3Jvtw23jNHIpzxg/VtdtWHTumPLrb1QMSWA6EB0KTLo7AjXIzU8IyfcGFSCVmXa9VcpM+rkC
 /d7hRG6Xo581Tf/WfE1Tft2h/QoYIMSNKbvvCUsPp2UxxLuXdK7DJLzP
Subject: [FFmpeg-devel] [PATCH 3/4] avformat/dhav: Check position for
	overflow
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: signed integer overflow: 9223372036854775807 + 32768 cannot be represented in type 'long'
Fixes: 27744/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-5179319491756032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dhav.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 53deaff77e..00e0d8476e 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -173,12 +173,12 @@ static int read_chunk(AVFormatContext *s)
     if (avio_feof(s->pb))
         return AVERROR_EOF;
 
-    if (avio_rl32(s->pb) != MKTAG('D','H','A','V')) {
+    if (avio_rl32(s->pb) != MKTAG('D','H','A','V') && dhav->last_good_pos < INT64_MAX - 0x8000) {
         dhav->last_good_pos += 0x8000;
         avio_seek(s->pb, dhav->last_good_pos, SEEK_SET);
 
         while (avio_rl32(s->pb) != MKTAG('D','H','A','V')) {
-            if (avio_feof(s->pb))
+            if (avio_feof(s->pb) || dhav->last_good_pos >= INT64_MAX - 0x8000)
                 return AVERROR_EOF;
             dhav->last_good_pos += 0x8000;
             ret = avio_skip(s->pb, 0x8000 - 4);

From patchwork Fri Dec  4 00:07:07 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 24337
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id A16F644A173
	for <patchwork@ffaux-bg.ffmpeg.org>; Fri,  4 Dec 2020 02:08:17 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 83D51689BDC;
	Fri,  4 Dec 2020 02:08:17 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
 (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4DBBC687FFE
 for <ffmpeg-devel@ffmpeg.org>; Fri,  4 Dec 2020 02:08:09 +0200 (EET)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kkyds-0002N2-0H
 for ffmpeg-devel@ffmpeg.org; Fri, 04 Dec 2020 01:08:08 +0100
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id kycukqpN9O4rAkycuk7TyY; Fri, 04 Dec 2020 01:07:08 +0100
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=RNDN4Lq+ c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=FKnStPy4BJg1RgWFP80A:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  4 Dec 2020 01:07:07 +0100
Message-Id: <20201204000707.7805-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20201204000707.7805-1-michael@niedermayer.cc>
References: <20201204000707.7805-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKaifQNWSrYBlzT90FXANdN4KqxeHMO4runwyM6TVOIC3Jvtw23jNHIpzxg/VtdtWHTumPLrb1QMSWA6EB0KTLo7AjXIzU8IyfcGFSCVmXa9VcpM+rkC
 /d7hRG6Xo581Tf/WfE1Tft2h/QoYIMSNKbvvCUsPp2UxxLuXdK7DJLzP
Subject: [FFmpeg-devel] [PATCH 4/4] avcodec/wmaprodec: Check packet size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: left shift of negative value -25824
Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wmaprodec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index 63e7680f9a..296970f561 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -1719,6 +1719,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s,
         }
     } else {
         int frame_size;
+
+        if (avpkt->size < s->next_packet_start) {
+            s->packet_loss = 1;
+            return AVERROR_INVALIDDATA;
+        }
+
         s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
         init_get_bits(gb, avpkt->data, s->buf_bit_size);
         skip_bits(gb, s->packet_offset);