From ecbe3e73662b765b1ab0147da105186799ac83c7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 28 Jun 2025 02:21:57 +0200
Subject: [PATCH] avcodec/rv60dec: Check ofs for overflows

Fixes: signed integer overflow: 30 + 2147483647 cannot be represented in type 'int'
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-6568264620900352

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rv60dec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 6075598861..4a3d9067db 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -2347,10 +2347,12 @@ static int rv60_decode_frame(AVCodecContext *avctx, AVFrame * frame,
     ofs = get_bits_count(&gb) / 8;
 
     for (int i = 0; i < s->cu_height; i++) {
-        if (header_size + ofs >= avpkt->size)
+        if (ofs >= avpkt->size - header_size)
             return AVERROR_INVALIDDATA;
         s->slice[i].data = avpkt->data + header_size + ofs;
         s->slice[i].data_size = FFMIN(s->slice[i].size, avpkt->size - header_size - ofs);
+        if (s->slice[i].size > INT32_MAX - ofs)
+            return AVERROR_INVALIDDATA;
         ofs += s->slice[i].size;
     }