avcodec/ralf: Check num_blocks before use

Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-05-11 22:17:43 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-05-12 21:39:13 +0200
commit: f0c0471075fe52ed31c46e038df4280aef5b67a1 (patch)
tree: 007c207206804575488524a7a7870aa71e7fb4ea /libavcodec/ralf.c
parent: a035fd88ae7341a05c01f3b393921933e4ea9665 (diff)
download: ffmpeg-f0c0471075fe52ed31c46e038df4280aef5b67a1.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index 08e8043e30..0080b23941 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     init_get_bits(&gb, src + 2, table_size);
     ctx->num_blocks = 0;
     while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
         ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels);
         if (get_bits1(&gb)) {
             ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-05-11 22:17:43 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-05-12 21:39:13 +0200
commit	f0c0471075fe52ed31c46e038df4280aef5b67a1 (patch)
tree	007c207206804575488524a7a7870aa71e7fb4ea /libavcodec/ralf.c
parent	a035fd88ae7341a05c01f3b393921933e4ea9665 (diff)
download	ffmpeg-f0c0471075fe52ed31c46e038df4280aef5b67a1.tar.gz