From b5e7092c9cc603ca9312dea1f0eb2bd331784fc1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 17 Mar 2021 21:58:53 +0100
Subject: [PATCH] avformat/mpc8: check for size overflow in
 mpc8_get_chunk_header()

Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6cc65d3d6760cfb08c5a9e57d4306d88428e18d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mpc8.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index f33323a599..88c55e3d22 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size)
     pos = avio_tell(pb);
     *tag = avio_rl16(pb);
     *size = ffio_read_varlen(pb);
-    *size -= avio_tell(pb) - pos;
+    pos -= avio_tell(pb);
+    if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) {
+        *size = -1;
+    } else
+        *size += pos;
 }
 
 static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)