avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned...
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 May 2017 13:39:32 +0000 (15:39 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 May 2017 13:54:33 +0000 (15:54 +0200)
Fixes: 1519/clusterfuzz-testcase-minimized-5286680976162816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/scpr.c

index b87c047..46f072c 100644 (file)
@@ -261,6 +261,9 @@ static int decode_unit(SCPRContext *s, PixelModel *pixel, unsigned step, unsigne
             break;
         c++;
     }
+    if (x >= 16 || c >= 256) {
+        return AVERROR_INVALIDDATA;
+    }
 
     if ((ret = s->decode(gb, rc, cumfr, cnt_c, totfr)) < 0)
         return ret;