avcodec/scpr: Check for min > max in decompress_p()
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 4 Aug 2018 21:45:52 +0000 (23:45 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 31 Oct 2018 23:52:46 +0000 (00:52 +0100)
Fixes: Timeout
Fixes: 9342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4795990841229312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3378194ce8e9a126a7cc6ed57bedde1221790469)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/scpr.c

index 694450a..f286ca8 100644 (file)
@@ -522,6 +522,9 @@ static int decompress_p(AVCodecContext *avctx,
         return ret;
 
     max += temp << 8;
+    if (min > max)
+        return AVERROR_INVALIDDATA;
+
     memset(s->blocks, 0, sizeof(*s->blocks) * s->nbcount);
 
     while (min <= max) {