From be62e519435b7995cc551740e3dd81c7d3c96ef4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 23 Oct 2020 20:39:33 +0200
Subject: [PATCH] avcodec/magicyuv: Check slice size before reading flags and
 pred

Fixes: heap-buffer-overflow
Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/magicyuv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
index 54a5ce0192..e41de1d608 100644
--- a/libavcodec/magicyuv.c
+++ b/libavcodec/magicyuv.c
@@ -706,6 +706,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
 
         s->slices[i][j].start = offset + header_size;
         s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
+
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
     }
 
     if (bytestream2_get_byte(&gbyte) != s->planes)