From f7b403bba6fd10aaf6bdf9dffd786d95a1748236 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 3 Jul 2022 13:31:19 +0200
Subject: avcodec/ffv1dec: Limit golomb rice coded slices to width 8M

This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ffv1dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 2ff749ffa4..dddfaed4d5 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -188,6 +188,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs)
          || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
         return -1;
 
+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
+
     for (i = 0; i < f->plane_count; i++) {
         PlaneContext * const p = &fs->plane[i];
         int idx = get_symbol(c, state, 0);
-- 
cgit v1.2.1