From 2d03bbcd780d2762c7e4f2f686d7bac78190a2cb Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 16 Jan 2021 22:44:33 +0100
Subject: [PATCH] avformat/nutdec: Fix integer overflow in count computation

Note, the value is checked a few lines later already

Fixes: signed integer overflow: -440402016 - 1879048064 cannot be represented in type 'int'
Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6603876618469376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0014249fd92132515b3ff0ce034dd65e745cb400)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/nutdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index bfa2bade27..e5ff0d757d 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -294,7 +294,7 @@ static int decode_main_header(NUTContext *nut)
         if (tmp_fields > 5)
             count = ffio_read_varlen(bc);
         else
-            count = tmp_mul - tmp_size;
+            count = tmp_mul - (unsigned)tmp_size;
         if (tmp_fields > 6)
             get_s(bc);
         if (tmp_fields > 7)