From c36a5dfc8f68316f93d03081e5a367b04e1cbd3c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 7 Jan 2022 17:51:11 +0100
Subject: [PATCH] avformat/rawvideodec: check packet size

Fixes: division by zero
Fixes: integer overflow
Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: lance.lmwang@gmail.com
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rawvideodec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
index 3f92211af1..7b1a534452 100644
--- a/libavformat/rawvideodec.c
+++ b/libavformat/rawvideodec.c
@@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
     enum AVPixelFormat pix_fmt;
     AVStream *st;
     int packet_size;
+    int ret;
 
     st = avformat_new_stream(ctx, NULL);
     if (!st)
@@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
 
     avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
 
+    ret = av_image_check_size(s->width, s->height, 0, ctx);
+    if (ret < 0)
+        return ret;
+
     st->codecpar->width  = s->width;
     st->codecpar->height = s->height;
 
@@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
         if (packet_size < 0)
             return packet_size;
     }
+    if (packet_size == 0)
+        return AVERROR(EINVAL);
 
     st->codecpar->format = pix_fmt;
     ctx->packet_size = packet_size;