[FFmpeg-cvslog] avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()
Michael Niedermayer
git at videolan.org
Tue Mar 12 01:50:06 EET 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Mar 10 01:40:59 2019 +0100| [d227ed5d598340e719eff7156b1aa0a4469e9a6a] | committer: Michael Niedermayer
avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()
Fixes: Out of array access
Fixes: 13500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5769760178962432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Kieran Kunhya <kierank at obe.tv>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d227ed5d598340e719eff7156b1aa0a4469e9a6a
---
libavcodec/mpeg4videodec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 99b1e10620..b6f2ae7b7b 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n
code >>= 1;
run = (1 << (additional_code_len - 1)) + code;
idx += run;
+ if (idx > 63)
+ return AVERROR_INVALIDDATA;
j = scantable[idx++];
block[j] = sign ? 1 : -1;
} else if (group >= 13 && group <= 20) {
/* Level value (Table B.49) */
+ if (idx > 63)
+ return AVERROR_INVALIDDATA;
j = scantable[idx++];
block[j] = get_xbits(&s->gb, additional_code_len);
} else if (group == 21) {
/* Escape */
+ if (idx > 63)
+ return AVERROR_INVALIDDATA;
j = scantable[idx++];
additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4;
flc = get_bits(&s->gb, additional_code_len);
More information about the ffmpeg-cvslog
mailing list