avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 10 Mar 2019 00:40:59 +0000 (01:40 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 13 Mar 2019 23:24:44 +0000 (00:24 +0100)
Fixes: Out of array access
Fixes: 13500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5769760178962432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Kieran Kunhya <kierank@obe.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d227ed5d598340e719eff7156b1aa0a4469e9a6a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/mpeg4videodec.c

index ecd028a..bb9f1e3 100644 (file)
@@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n
             code >>= 1;
             run = (1 << (additional_code_len - 1)) + code;
             idx += run;
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
             j = scantable[idx++];
             block[j] = sign ? 1 : -1;
         } else if (group >= 13 && group <= 20) {
             /* Level value (Table B.49) */
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
             j = scantable[idx++];
             block[j] = get_xbits(&s->gb, additional_code_len);
         } else if (group == 21) {
             /* Escape */
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
             j = scantable[idx++];
             additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4;
             flc = get_bits(&s->gb, additional_code_len);