avcodec/bgmc: Check input space in ff_bgmc_decode_init()

Fixes: Infinite loop
Fixes: 16608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5636229827133440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavcodec/alsdec.c

@@ -821,7 +821,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
         unsigned int low;
         unsigned int value;
 
-        ff_bgmc_decode_init(gb, &high, &low, &value);
+        int ret = ff_bgmc_decode_init(gb, &high, &low, &value);
+        if (ret < 0)
+            return ret;
 
         current_res = bd->raw_samples + start;
 

libavcodec/bgmc.c

@@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status)
 
 
 /** Initialize decoding and reads the first value */
-void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
+int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h,
                          unsigned int *l, unsigned int *v)
 {
+    if (get_bits_left(gb) < VALUE_BITS)
+        return AVERROR_INVALIDDATA;
+
     *h = TOP_VALUE;
     *l = 0;
     *v = get_bits_long(gb, VALUE_BITS);
+
+    return 0;
 }
 
 

libavcodec/bgmc.h

@@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status);
 void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status);
 
 
-void ff_bgmc_decode_init(GetBitContext *gb,
+int ff_bgmc_decode_init(GetBitContext *gb,
                       unsigned int *h, unsigned int *l, unsigned int *v);