avcodec/scpr: Fix reading a pixel before the first
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 3 Feb 2018 17:49:07 +0000 (18:49 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 11 Feb 2018 01:49:15 +0000 (02:49 +0100)
Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/scpr.c

index cbe1bc4..ad6073d 100644 (file)
@@ -681,6 +681,8 @@ static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;
@@ -710,6 +712,8 @@ static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;