Commit d227ed5d authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()

Fixes: Out of array access
Fixes: 13500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5769760178962432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: 's avatarKieran Kunhya <kierank@obe.tv>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 3f086a2f
...@@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n ...@@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n
code >>= 1; code >>= 1;
run = (1 << (additional_code_len - 1)) + code; run = (1 << (additional_code_len - 1)) + code;
idx += run; idx += run;
if (idx > 63)
return AVERROR_INVALIDDATA;
j = scantable[idx++]; j = scantable[idx++];
block[j] = sign ? 1 : -1; block[j] = sign ? 1 : -1;
} else if (group >= 13 && group <= 20) { } else if (group >= 13 && group <= 20) {
/* Level value (Table B.49) */ /* Level value (Table B.49) */
if (idx > 63)
return AVERROR_INVALIDDATA;
j = scantable[idx++]; j = scantable[idx++];
block[j] = get_xbits(&s->gb, additional_code_len); block[j] = get_xbits(&s->gb, additional_code_len);
} else if (group == 21) { } else if (group == 21) {
/* Escape */ /* Escape */
if (idx > 63)
return AVERROR_INVALIDDATA;
j = scantable[idx++]; j = scantable[idx++];
additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4; additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4;
flc = get_bits(&s->gb, additional_code_len); flc = get_bits(&s->gb, additional_code_len);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment