[FFmpeg-cvslog] avcodec/cook: Check subpacket index against max

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 27 20:23:10 2020 +0200| [5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8] | committer: Michael Niedermayer

avcodec/cook: Check subpacket index against max

Fixes: off by 1 error
Fixes: index 5 out of bounds for type 'COOKSubpacket [5]'
Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8
---

 libavcodec/cook.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/cook.c b/libavcodec/cook.c
index d0b41a2431..9582495442 100644
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
     ff_audiodsp_init(&q->adsp);
 
     while (bytestream2_get_bytes_left(&gb)) {
+        if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
+            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
+            return AVERROR_PATCHWELCOME;
+        }
         /* 8 for mono, 16 for stereo, ? for multichannel
            Swap to right endianness so we don't need to care later on. */
         q->subpacket[s].cookversion      = bytestream2_get_be32(&gb);
@@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
 
         q->num_subpackets++;
         s++;
-        if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) {
-            avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align));
-            return AVERROR_PATCHWELCOME;
-        }
     }
 
     /* Try to catch some obviously faulty streams, otherwise it might be exploitable */