diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2018-06-24 19:23:02 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-07-08 19:45:47 +0200 |
commit | dac23ef23c5ef416d1ed399dd8ea7b46d90e14c8 (patch) | |
tree | ffc6a5af2d112cade65099ba884296afab7062b3 | |
parent | 2a30376e5095feafced45964b0cc8fb507fdff61 (diff) | |
download | ffmpeg-dac23ef23c5ef416d1ed399dd8ea7b46d90e14c8.tar.gz |
avcodec/escape124: Check buf_size against num_superblocks
Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/escape124.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c3174ce6ef..186f0cb8af 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. - if (get_bits_left(&gb) < 64) + // Check if the amount we will read minimally is available on input. + // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skiped superblocks. Non + // skipped SBs need more space. + if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); |