avcodec/indeo2: Check for invalid VLCs

Fixes: timeout Fixes: 1416/clusterfuzz-testcase-minimized-5536862435278848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 159fb8ff7e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2026-02-06 09:49:56 +00:00 · 2017-05-09 00:02:22 +02:00 · 2017-05-09 00:02:22 +02:00 · 99341b2a7f
commit 99341b2a7f
parent e82d6dafde
1 changed files with 8 additions and 1 deletions
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@ -68,6 +68,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
            for (i = 0; i < c * 2; i++)
                dst[out++] = 0x80;
        } else { /* copy two values from table */
+            if (c <= 0)
+                return AVERROR_INVALIDDATA;
            dst[out++] = table[c * 2];
            dst[out++] = table[(c * 2) + 1];
        }
@ -89,7 +91,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
                    out++;
                }
            } else { /* add two deltas from table */
-                int t    = dst[out - pitch] + (table[c * 2] - 128);
+                int t;
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
+                t        = dst[out - pitch] + (table[c * 2] - 128);
                t        = av_clip_uint8(t);
                dst[out] = t;
                out++;
@ -125,6 +130,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_
                c   -= 0x7F;
                out += c * 2;
            } else { /* add two deltas from table */
+                if (c <= 0)
+                    return AVERROR_INVALIDDATA;
                t        = dst[out] + (((table[c * 2] - 128)*3) >> 2);
                t        = av_clip_uint8(t);
                dst[out] = t;