avcodec/wmavoice: Check remaining input in parse_packet_header()

Fixes: Infinite loop Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-11-23 09:18:12 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-01-06 15:03:15 +0100
commit: a08a0c97a49837f728f6e12b12e5829ef6b987c0 (patch)
tree: e35f22c8c6617c14ab1e5290a67ecb6dd37fe987
parent: 66582e349e3c26740658b5ef4a9c8820a9dfb465 (diff)
download: ffmpeg-a08a0c97a49837f728f6e12b12e5829ef6b987c0.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index bb7950be47..8df67de65b 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1843,6 +1843,9 @@ static int parse_packet_header(WMAVoiceContext *s)
     skip_bits(gb, 4);          // packet sequence number
     s->has_residual_lsps = get_bits1(gb);
     do {
+        if (get_bits_left(gb) < 6 + s->spillover_bitsize)
+            return AVERROR_INVALIDDATA;
+
         res = get_bits(gb, 6); // number of superframes per packet
                                // (minus first one if there is spillover)
         n_superframes += res;
author	Michael Niedermayer <michael@niedermayer.cc>	2019-11-23 09:18:12 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-01-06 15:03:15 +0100
commit	a08a0c97a49837f728f6e12b12e5829ef6b987c0 (patch)
tree	e35f22c8c6617c14ab1e5290a67ecb6dd37fe987
parent	66582e349e3c26740658b5ef4a9c8820a9dfb465 (diff)
download	ffmpeg-a08a0c97a49837f728f6e12b12e5829ef6b987c0.tar.gz