avcodec/fmvc: Fix off by 1 error
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 17 May 2017 00:17:13 +0000 (02:17 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 17 May 2017 00:17:51 +0000 (02:17 +0200)
Fixes: out of array access
Fixes: 1643/clusterfuzz-testcase-minimized-6117573403869184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/fmvc.c

index ff5f291..2368e95 100644 (file)
@@ -459,7 +459,7 @@ static int decode_frame(AVCodecContext *avctx,
             int size, offset, start = 0;
 
             offset = bytestream2_get_le16(gb);
-            if (offset > s->nb_blocks)
+            if (offset >= s->nb_blocks)
                 return AVERROR_INVALIDDATA;
 
             size = bytestream2_get_le16(gb);