avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()

Fixes: Timeout (149sec ->1sec) Fixes: 17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()
Fixes: Timeout (149sec ->1sec) Fixes: 17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
e7113704 · Michael Niedermayer · ea770eb5 · e7113704 · e7113704
Commit e7113704 authored Sep 24, 2019 by Michael Niedermayer
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 3 deletions

cavsdec.c libavcodec/cavsdec.c +12 -2

cavs tests/ref/fate/cavs +1 -1

No files found.
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1101,11 +1101,16 @@ static int decode_pic(AVSContext *h)
        do {
            if (check_for_slice(h))
                skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                skip_count = get_ue_golomb(&h->gb);
+            }
            if (h->skip_mode_flag && skip_count--) {
                decode_mb_p(h, P_SKIP);
            } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag;
                if (mb_type > P_8X8)
                    ret = decode_mb_i(h, mb_type - P_8X8 - 1);
@@ -1119,11 +1124,16 @@ static int decode_pic(AVSContext *h)
        do {
            if (check_for_slice(h))
                skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                skip_count = get_ue_golomb(&h->gb);
+            }
            if (h->skip_mode_flag && skip_count--) {
                ret = decode_mb_b(h, B_SKIP);
            } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag;
                if (mb_type > B_8X8)
                    ret = decode_mb_i(h, mb_type - B_8X8 - 1);

--- a/tests/ref/fate/cavs
+++ b/tests/ref/fate/cavs
@@ -172,4 +172,4 @@
 0,        166,        166,        1,   622080, 0x05496a5d
 0,        167,        167,        1,   622080, 0xdcb4cee8
 0,        168,        168,        1,   622080, 0xb41172e5
-0,        169,        169,        1,   622080, 0x56c72478
+0,        169,        169,        1,   622080, 0x26146e0b