avcodec/lscrdec: Check length in decode_idat()

Fixes: out of array access Fixes: 32264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-6684504010915840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-12-23 12:43:46 +02:00 · 2021-03-30 13:17:09 +02:00 · 2021-03-30 13:17:09 +02:00 · c01cd2a8b2
commit c01cd2a8b2
parent 6055b93379
1 changed files with 4 additions and 0 deletions
--- a/libavcodec/lscrdec.c
+++ b/libavcodec/lscrdec.c
@ -76,6 +76,10 @@ static int decode_idat(LSCRContext *s, int length)
    int ret;
    s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
    s->zstream.next_in  = s->gb.buffer;
+
+    if (length <= 0)
+        return AVERROR_INVALIDDATA;
+
    bytestream2_skip(&s->gb, length);

    /* decode one line if possible */