Fixes: Timeout (239sec -> 16sec) Fixes: 17811/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5715508149616640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/dstdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 8a1bc6a738..48271b10f7 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -56,6 +56,7 @@ static const int8_t probs_code_pred_coeff[3][3] = { typedef struct ArithCoder { unsigned int a; unsigned int c; + int overread; } ArithCoder; typedef struct Table { @@ -172,6 +173,7 @@ static void ac_init(ArithCoder *ac, GetBitContext *gb) { ac->a = 4095; ac->c = get_bits(gb, 12); + ac->overread = 0; } static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, int *e) @@ -191,6 +193,8 @@ static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, in if (ac->a < 2048) { int n = 11 - av_log2(ac->a); ac->a <<= n; + if (get_bits_left(gb) < n) + ac->overread ++; ac->c = (ac->c << n) | get_bits(gb, n); } } @@ -339,6 +343,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, prob = 128; } + if (ac->overread > 16) + return AVERROR_INVALIDDATA; + ac_get(ac, gb, prob, &residual); v = ((predict >> 15) ^ residual) & 1; dsd[((i >> 3) * channels + ch) << 2] |= v << (7 - (i & 0x7 )); -- 2.23.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
