avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-19 05:49:09 +02:00 · 2018-06-24 19:23:02 +02:00 · 2018-06-24 19:23:02 +02:00 · 9bfdb49b74
commit 9bfdb49b74
parent 8db6c2993b
1 changed files with 5 additions and 1 deletions
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    // This call also guards the potential depth reads for the
    // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skiped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
        return -1;

    frame_flags = get_bits_long(&gb, 32);