From 8e58d20e1091f58287f430299edabc2f9a9b0c4b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 11 Jan 2023 21:07:13 +0100
Subject: [PATCH] avcodec/bonk: Check ntaps against buffer size

Fixes: out of array read
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6739246658748416

Note: This issue was assigned to a unrelated theora bug

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 9e176d5477..061cc69a58 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -101,6 +101,10 @@ static av_cold int bonk_init(AVCodecContext *avctx)
     s->samples_per_packet = AV_RL16(avctx->extradata + 15);
     if (!s->samples_per_packet)
         return AVERROR(EINVAL);
+
+    if (s->down_sampling * s->samples_per_packet < s->n_taps)
+        return AVERROR_INVALIDDATA;
+
     s->max_framesize = s->samples_per_packet * avctx->ch_layout.nb_channels * s->down_sampling * 16LL;
     if (s->max_framesize > (INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) / 8)
         return AVERROR_INVALIDDATA;