avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder()

Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Reviewed-by: BBB
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 7 insertions, 2 deletions

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 09365f833a..a41f3a3961 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -852,7 +852,10 @@ static int decode_frame_header(AVCodecContext *ctx,
         av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n");
         return AVERROR_INVALIDDATA;
     }
-    ff_vp56_init_range_decoder(&s->c, data2, size2);
+    res = ff_vp56_init_range_decoder(&s->c, data2, size2);
+    if (res < 0)
+        return res;
+
     if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit
         av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n");
         return AVERROR_INVALIDDATA;
@@ -4153,7 +4156,9 @@ FF_ENABLE_DEPRECATION_WARNINGS
                         ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
                         return AVERROR_INVALIDDATA;
                     }
-                    ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+                    res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+                    if (res < 0)
+                        return res;
                     if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit
                         ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
                         return AVERROR_INVALIDDATA;