[FFmpeg-devel] [PATCH 4/6] [RFC] avcodec/motionpixels: Check for end of input in mp_decode_frame_helper()

[Michael Niedermayer]

Improves: Timeout (75sec -> 50sec)
Improves: 16053/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5647069169057792

Together with the planed reduction in the threshold this would bring this to 20sec and fix the Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/motionpixels.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index 8750a4fa16..ecf32b6144 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -253,7 +253,7 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
     }
 }
 
-static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
+static int mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
 {
     YuvPixel p;
     int y, y0;
@@ -265,6 +265,8 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
             memset(mp->gradient_scale, 1, sizeof(mp->gradient_scale));
             p = mp_get_yuv_from_rgb(mp, 0, y);
         } else {
+            if (mp->codes_count > 1 && get_bits_left(gb) < 1)
+                return AVERROR_INVALIDDATA;
             p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
             p.y = av_clip_uintp2(p.y, 5);
             if ((y & 3) == 0) {
@@ -280,6 +282,8 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
     for (y0 = 0; y0 < 2; ++y0)
         for (y = y0; y < mp->avctx->height; y += 2)
             mp_decode_line(mp, gb, y);
+
+    return 0;
 }
 
 static int mp_decode_frame(AVCodecContext *avctx,
-- 
2.22.0