avcodec/ralf: Check num_blocks before use

Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-05-11 22:17:43 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-07-03 12:10:24 +0200
commit: 1e31295ea2c4d8ecef5cbb1c98bff3d187223311 (patch)
tree: 1bb9a7c64abbe360f94ff8f19f861bd9cdd0f7b4
parent: 36ea0ddc75ee83e6dd7f9dcdb82b8fcab08dd19e (diff)
download: ffmpeg-1e31295ea2c4d8ecef5cbb1c98bff3d187223311.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index a57966a298..406326779a 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     init_get_bits(&gb, src + 2, table_size);
     ctx->num_blocks = 0;
     while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
         ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels);
         if (get_bits1(&gb)) {
             ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-05-11 22:17:43 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-07-03 12:10:24 +0200
commit	1e31295ea2c4d8ecef5cbb1c98bff3d187223311 (patch)
tree	1bb9a7c64abbe360f94ff8f19f861bd9cdd0f7b4
parent	36ea0ddc75ee83e6dd7f9dcdb82b8fcab08dd19e (diff)
download	ffmpeg-1e31295ea2c4d8ecef5cbb1c98bff3d187223311.tar.gz