Commit 6677c986 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent e7c0b44e
...@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, ...@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
// This call also guards the potential depth reads for the // This call also guards the potential depth reads for the
// codebook unpacking. // codebook unpacking.
if (get_bits_left(&gb) < 64) // Check if the amount we will read minimally is available on input.
// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
// represent a lower bound of the space needed for skiped superblocks. Non
// skipped SBs need more space.
if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
return -1; return -1;
frame_flags = get_bits_long(&gb, 32); frame_flags = get_bits_long(&gb, 32);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment