From 6ebb9e7b7765d699692ba18c2b0ef1ff1ce6dbf4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 17 May 2017 01:12:55 +0200
Subject: [PATCH] avcodec/flicvideo: Check frame_size before decrementing

Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int'
Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 355e27e24dc88d6ba8f27501a34925d9d937a399)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/flicvideo.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index b1b7b5a42f..46fd21d2b1 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -199,6 +199,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
     num_chunks = bytestream2_get_le16(&g2);
     bytestream2_skip(&g2, 8);  /* skip padding */
 
+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
+
     frame_size -= 16;
 
     /* iterate through the chunks */
@@ -519,6 +522,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
     if (frame_size > buf_size)
         frame_size = buf_size;
 
+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
     frame_size -= 16;
 
     /* iterate through the chunks */
@@ -804,6 +809,8 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
     if (frame_size > buf_size)
         frame_size = buf_size;
 
+    if (frame_size < 16)
+        return AVERROR_INVALIDDATA;
     frame_size -= 16;
 
     /* iterate through the chunks */