avcodec/scpr3: Fix out of array access with dectab

Fixes: 23721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5914074721550336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c8de8dfba6b2706f22214489b1779fb0d27e7e65) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/scpr3: Fix out of array access with dectab
Fixes: 23721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5914074721550336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c8de8dfba6b2706f22214489b1779fb0d27e7e65) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1ff86cb4 · Michael Niedermayer · f1ebea7c · 1ff86cb4
Commit 1ff86cb4 authored Jul 01, 2020 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 3 deletions

scpr3.c libavcodec/scpr3.c +14 -3

No files found.
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m)
        }
        p = (e + 127) >> 7;
        k = ((f + e - 1) >> 7) + 1;
+        if (k > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
        for (i = 0; i < k - p; i++)
            n.dectab[p + i] = j;
        e += f;
@@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value)
        e = d;
        n.cntsum += n.cnts[e];
        n.freqs1[e] = c;
-        for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) {
+        g = n.freqs[e];
+        f = (c + g - 1 >> 7) + 1;
+        if (f > FF_ARRAY_ELEMS(n.dectab))
+            return AVERROR_INVALIDDATA;
+        for (q = c + 128 - 1 >> 7; q < f; q++) {
            n.dectab[q] = e;
        }
        c += g;
@@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
    uint16_t a = 0, b = 0;
    uint32_t param;
    int type;
+    int ret;
    type = m->type;
    switch (type) {
@@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 3:
        *value = bytestream2_get_byte(&s->gb);
-        decode_static3(m, *value);
+        ret = decode_static3(m, *value);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
        sync_code3(gb, rc);
        break;
    case 4:
@@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
        break;
    case 6:
        if (!decode_adaptive6(m, code, value, &a, &b)) {
-            update_model6_to_7(m);
+            ret = update_model6_to_7(m);
+            if (ret < 0)
+                return AVERROR_INVALIDDATA;
        }
        decode3(gb, rc, a, b);
        sync_code3(gb, rc);