From d4bb784274b32f4a2219204276274e73008391bf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 25 Mar 2024 03:38:27 +0100
Subject: [PATCH] avformat/iamf_reader: Check len before summing

Fixes: integer overflow
Fixes: 67275/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5438920751906816
Fixes: 67688/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5970342318243840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f26ee6e0667d050b684668ad0e792e70fcf88b78)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamf_reader.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c
index 270cfac389..f3ff4170c6 100644
--- a/libavformat/iamf_reader.c
+++ b/libavformat/iamf_reader.c
@@ -283,9 +283,9 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c,
 
         len = ff_iamf_parse_obu_header(header, size, &obu_size, &start_pos, &type,
                                        &skip_samples, &discard_padding);
-        if (len < 0 || obu_size > max_size) {
+        if (len < 0 || obu_size > max_size || len > INT_MAX - read) {
             av_log(s, AV_LOG_ERROR, "Failed to read obu\n");
-            return len;
+            return len < 0 ? len : AVERROR_INVALIDDATA;
         }
         avio_seek(pb, -(size - start_pos), SEEK_CUR);