Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/snowdec.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 727e908fb5..77ffe7f594 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -183,13 +183,24 @@ static int decode_q_branch(SnowContext *s, int level, int
x, int y){
int my_context= av_log2(2*FFABS(left->my - top->my)) +
0*av_log2(2*FFABS(tr->my - top->my));
type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ?
BLOCK_INTRA : 0;
-
if(type){
+ int ld, cbd, crd;
pred_mv(s, &mx, &my, 0, left, top, tr);
- l += get_symbol(&s->c, &s->block_state[32], 1);
+ ld = get_symbol(&s->c, &s->block_state[32], 1);
+ if (ld < -255 || ld > 255) {
+ av_log(s->avctx, AV_LOG_DEBUG, "Invalid (Out of range) intra
luma block DC difference %d\n", ld);
+ return AVERROR_INVALIDDATA;
+ }
+ l += ld;
if (s->nb_planes > 2) {
- cb+= get_symbol(&s->c, &s->block_state[64], 1);
- cr+= get_symbol(&s->c, &s->block_state[96], 1);
+ cbd = get_symbol(&s->c, &s->block_state[64], 1);
+ crd = get_symbol(&s->c, &s->block_state[96], 1);
+ if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) {
+ av_log(s->avctx, AV_LOG_DEBUG, "Invalid (Out of range)
intra chroma block DC difference %d, %d\n", cbd, crd);
+ return AVERROR_INVALIDDATA;
+ }
+ cb += cbd;
+ cr += crd;
}
}else{
if(s->ref_frames > 1)
--
2.15.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
