Fixes: Timeout (30sec -> 2sec)
Fixes:
13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
---
libavcodec/arbc.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c
index 841a9f10ac..52c9a197f9 100644
--- a/libavcodec/arbc.c
+++ b/libavcodec/arbc.c
@@ -121,6 +121,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
if (avpkt->size < 10)
return AVERROR_INVALIDDATA;
+bytestream2_init(>gb, avpkt->data, avpkt->size);
+bytestream2_skip(>gb, 8);
+nb_segments = bytestream2_get_le16(>gb);
+if (nb_segments == 0)
+keyframe = 0;
+
+if (7 * nb_segments > bytestream2_get_bytes_left(>gb))
+return AVERROR_INVALIDDATA;
+
if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
return ret;
@@ -130,12 +139,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
return ret;
}
-bytestream2_init(>gb, avpkt->data, avpkt->size);
-bytestream2_skip(>gb, 8);
-nb_segments = bytestream2_get_le16(>gb);
-if (nb_segments == 0)
-keyframe = 0;
-
for (int i = 0; i < nb_segments; i++) {
int resolution_flag;
uint8_t fill[3];
--
2.21.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel