From fb7b0347b3317d606af2082ccd029e38a2ff6cb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 00:09:45 +0200 Subject: [PATCH] avcodec/mpeg4videodec: Check rice_prefix_code Fixes: out of array read Fixes: 10064/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5766801384800256 Fixes: 10225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5071833448054784 Fixes: 10261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5115048024866816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 4c77081237..853c6d9132 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1968,6 +1968,10 @@ static int mpeg4_decode_dpcm_macroblock(MpegEncContext *s, int16_t macroblock[25 if (rice_prefix_code == 11) dpcm_residual = get_bits(&s->gb, s->avctx->bits_per_raw_sample); else { + if (rice_prefix_code == 12) { + av_log(s->avctx, AV_LOG_ERROR, "Forbidden rice_prefix_code\n"); + return AVERROR_INVALIDDATA; + } rice_suffix_code = get_bitsz(&s->gb, rice_parameter); dpcm_residual = (rice_prefix_code << rice_parameter) + rice_suffix_code; }