avcodec/dxv: Check that there is enough data to decompress

Fixes: Timeout Fixes: 10979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-6178582203203584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2bc3811c0d6b34e43a55a7541722761f548628d0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-12-01 21:41:01 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-01-21 07:53:26 +0100
commit: 219cbc55277ab64b305c82bfa1f85e919610f81d (patch)
tree: d2058a558a658ff319c80393230120030ac36069
parent: 55c36d2498119b3a01337115b28be006602ccb44 (diff)
download: ffmpeg-219cbc55277ab64b305c82bfa1f85e919610f81d.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 08aca73b1f..bf53d7d706 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -1192,6 +1192,12 @@ static int dxv_decode(AVCodecContext *avctx, void *data,
     ret = decompress_tex(avctx);
     if (ret < 0)
         return ret;
+    {
+        int w_block = avctx->coded_width / ctx->texture_block_w;
+        int h_block = avctx->coded_height / ctx->texture_block_h;
+        if (w_block * h_block * ctx->tex_step > ctx->tex_size * 8LL)
+            return AVERROR_INVALIDDATA;
+    }
 
     tframe.f = data;
     ret = ff_thread_get_buffer(avctx, &tframe, 0);
author	Michael Niedermayer <michael@niedermayer.cc>	2018-12-01 21:41:01 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-01-21 07:53:26 +0100
commit	219cbc55277ab64b305c82bfa1f85e919610f81d (patch)
tree	d2058a558a658ff319c80393230120030ac36069
parent	55c36d2498119b3a01337115b28be006602ccb44 (diff)
download	ffmpeg-219cbc55277ab64b305c82bfa1f85e919610f81d.tar.gz