avcodec/indeo2: Check for invalid VLCs
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 8 May 2017 22:02:22 +0000 (00:02 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 8 May 2017 22:42:20 +0000 (00:42 +0200)
Fixes: timeout
Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/indeo2.c

index f1324e4..4971b84 100644 (file)
@@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
             for (i = 0; i < c * 2; i++)
                 dst[out++] = 0x80;
         } else { /* copy two values from table */
+            if (c <= 0)
+                return AVERROR_INVALIDDATA;
             dst[out++] = table[c * 2];
             dst[out++] = table[(c * 2) + 1];
         }
@@ -90,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
                     out++;
                 }
             } else { /* add two deltas from table */
-                int t    = dst[out - pitch] + (table[c * 2] - 128);
+                int t;
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
+                t        = dst[out - pitch] + (table[c * 2] - 128);
                 t        = av_clip_uint8(t);
                 dst[out] = t;
                 out++;
@@ -126,6 +131,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_
                 c   -= 0x7F;
                 out += c * 2;
             } else { /* add two deltas from table */
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
                 t        = dst[out] + (((table[c * 2] - 128)*3) >> 2);
                 t        = av_clip_uint8(t);
                 dst[out] = t;