From b3c973acbecb879d4949fecdadd2fdfc08dea42b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 21:14:28 +0200
Subject: [PATCH] avformat/rpl: Check for number_of_chunks overflow

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int')
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rpl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/rpl.c b/libavformat/rpl.c
index 3ef6fda386..eae0da891b 100644
--- a/libavformat/rpl.c
+++ b/libavformat/rpl.c
@@ -268,6 +268,9 @@ static int rpl_read_header(AVFormatContext *s)
                "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag));
 
     number_of_chunks = read_line_and_int(pb, &error);  // number of chunks in the file
+    if (number_of_chunks == INT_MAX)
+        return AVERROR_INVALIDDATA;
+
     // The number in the header is actually the index of the last chunk.
     number_of_chunks++;