avcodec/qdm2: Check checksum_size for 0
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 23 Jun 2019 23:01:04 +0000 (01:01 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 8 Jul 2019 07:44:36 +0000 (09:44 +0200)
Fixes: Infinite loop
Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/qdm2.c

index 1e91f47..eaffb36 100644 (file)
@@ -1704,8 +1704,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     s->group_size = bytestream2_get_be32(&gb);
     s->fft_size = bytestream2_get_be32(&gb);
     s->checksum_size = bytestream2_get_be32(&gb);
-    if (s->checksum_size >= 1U << 28) {
-        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+    if (s->checksum_size >= 1U << 28 || !s->checksum_size) {
+        av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size);
         return AVERROR_INVALIDDATA;
     }