[FFmpeg-cvslog] avformat/rmdec: Reorder operations to avoid overflow

Sat Feb 20 22:10:20 EET 2021

ffmpeg | branch: release/4.3 | Michael Niedermayer <michael at niedermayer.cc> | Thu Dec  3 00:54:46 2020 +0100| [9797f8dba3424c893bfaae72936f1c1def8d9205] | committer: Michael Niedermayer

avformat/rmdec: Reorder operations to avoid overflow

Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int'
Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9797f8dba3424c893bfaae72936f1c1def8d9205
---

 libavformat/rmdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 25b66e2a06..f150dcd111 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -714,9 +714,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre
                     av_log(s, AV_LOG_WARNING,
                            "Index size %d (%d pkts) is wrong, should be %"PRId64".\n",
                            len, n_pkts, expected_len);
-                len -= 14; // we already read part of the index header
-                if(len<0)
+                if(len < 14)
                     continue;
+                len -= 14; // we already read part of the index header
                 goto skip;
             } else if (state == MKBETAG('D','A','T','A')) {
                 av_log(s, AV_LOG_WARNING,

