avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
authorMichael Niedermayer <michael@niedermayer.cc>
Thu, 11 Apr 2019 22:09:57 +0000 (00:09 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 27 Jun 2019 15:50:47 +0000 (17:50 +0200)
Fixes: assertion failure
Fixes: 14078/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5760571284127744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 110dce96331529a13cc815d3c852aed9d37f83d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/ivi.c

index b23d4af..19a3798 100644 (file)
@@ -488,12 +488,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb)
 static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
                             int blk_size)
 {
-    int buf_size = band->pitch * band->aheight - buf_offs;
-    int min_size = (blk_size - 1) * band->pitch + blk_size;
-
-    if (min_size > buf_size)
-        return AVERROR_INVALIDDATA;
-
     band->dc_transform(prev_dc, band->buf + buf_offs,
                        band->pitch, blk_size);
 
@@ -724,6 +718,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                 if (ret < 0)
                     return ret;
             } else {
+                int buf_size = band->pitch * band->aheight - buf_offs;
+                int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+                if (min_size > buf_size)
+                    return AVERROR_INVALIDDATA;
                 /* block not coded */
                 /* for intra blocks apply the dc slant transform */
                 /* for inter - perform the motion compensation without delta */