avcodec/wmaprodec: Check packet size

Fixes: left shift of negative value -25824 Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 69aeba8a19ac2fa6e1c9bdfb19229b513f314bb1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-02-04 06:08:26 +02:00 · 2020-12-04 00:52:47 +01:00 · 2020-12-04 00:52:47 +01:00 · 93cdec591b
commit 93cdec591b
parent 9dc6c0d8d0
1 changed files with 6 additions and 0 deletions
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@ -1607,6 +1607,12 @@ static int decode_packet(AVCodecContext *avctx, void *data,

    } else {
        int frame_size;
+
+        if (avpkt->size < s->next_packet_start) {
+            s->packet_loss = 1;
+            return AVERROR_INVALIDDATA;
+        }
+
        s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3;
        init_get_bits(gb, avpkt->data, s->buf_bit_size);
        skip_bits(gb, s->packet_offset);