RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-07 15:22:57 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/mv30: Check remaining mask in decode_inter()

Browse Source 
Fixes: timeout (too long -> 4sec)
Fixes: 25129/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5642089713631232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-09-14 00:03:36 +02:00
parent c467adf3bf
commit 142ae27b1d
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/mv30.c
View File

@ -531,8 +531,13 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb,
for (int x = 0; x < avctx->width; x += 16) { for (int x = 0; x < avctx->width; x += 16) {
if (cnt >= 4) if (cnt >= 4)
cnt = 0; cnt = 0;
if (cnt == 0) if (cnt == 0) {
if (get_bits_left(&mask) < 8) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
flags = get_bits(&mask, 8); flags = get_bits(&mask, 8);
}
dst[0] = frame->data[0] + linesize[0] * y + x; dst[0] = frame->data[0] + linesize[0] * y + x;
dst[1] = frame->data[0] + linesize[0] * y + x + 8; dst[1] = frame->data[0] + linesize[0] * y + x + 8;