Fixes: out of array read Fixes: 10064/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5766801384800256 Fixes: 10225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5071833448054784 Fixes: 10261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5115048024866816
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/mpeg4videodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 4c77081237..853c6d9132 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1968,6 +1968,10 @@ static int mpeg4_decode_dpcm_macroblock(MpegEncContext *s, int16_t macroblock[25 if (rice_prefix_code == 11) dpcm_residual = get_bits(&s->gb, s->avctx->bits_per_raw_sample); else { + if (rice_prefix_code == 12) { + av_log(s->avctx, AV_LOG_ERROR, "Forbidden rice_prefix_code\n"); + return AVERROR_INVALIDDATA; + } rice_suffix_code = get_bitsz(&s->gb, rice_parameter); dpcm_residual = (rice_prefix_code << rice_parameter) + rice_suffix_code; } -- 2.18.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
