From 159fb8ff7e4038edf13e91d3c08bc7b8abc369b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 00:02:22 +0200 Subject: [PATCH] avcodec/indeo2: Check for invalid VLCs Fixes: timeout Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index f1324e4635..4971b84308 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -90,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -126,6 +131,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; -- 2.11.0