From 9d20901b92b551412f7876738176f00fb7177ee7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 13 Mar 2019 21:48:25 +0100
Subject: [PATCH] avcodec/arbc: Check nb_segments before allocating and copying
 frame

Fixes: Timeout (30sec -> 2sec)
Fixes: 13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/arbc.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c
index 11942e1983..a8b0bb0d8b 100644
--- a/libavcodec/arbc.c
+++ b/libavcodec/arbc.c
@@ -117,6 +117,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     if (avpkt->size < 10)
         return AVERROR_INVALIDDATA;
 
+    bytestream2_init(&s->gb, avpkt->data, avpkt->size);
+    bytestream2_skip(&s->gb, 8);
+    nb_segments = bytestream2_get_le16(&s->gb);
+    if (nb_segments == 0)
+        keyframe = 0;
+
+    if (7 * nb_segments > bytestream2_get_bytes_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
         return ret;
 
@@ -126,12 +135,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
             return ret;
     }
 
-    bytestream2_init(&s->gb, avpkt->data, avpkt->size);
-    bytestream2_skip(&s->gb, 8);
-    nb_segments = bytestream2_get_le16(&s->gb);
-    if (nb_segments == 0)
-        keyframe = 0;
-
     for (int i = 0; i < nb_segments; i++) {
         int resolution_flag;
         int fill;