diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2019-11-23 09:18:12 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-04-23 21:29:01 +0200 |
commit | 43fe5031077889f28b5bdd5404e66554d4590f4f (patch) | |
tree | c38376fa7603dc9b3610d18a8df2c700bdd214ef | |
parent | 45eef1be3a42d9fb548d39a27af00343ff412866 (diff) | |
download | ffmpeg-43fe5031077889f28b5bdd5404e66554d4590f4f.tar.gz |
avcodec/wmavoice: Check remaining input in parse_packet_header()
Fixes: Infinite loop
Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/wmavoice.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 06d9db66be..799f719283 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1892,6 +1892,9 @@ static int parse_packet_header(WMAVoiceContext *s) skip_bits(gb, 4); // packet sequence number s->has_residual_lsps = get_bits1(gb); do { + if (get_bits_left(gb) < 6 + s->spillover_bitsize) + return AVERROR_INVALIDDATA; + res = get_bits(gb, 6); // number of superframes per packet // (minus first one if there is spillover) if (get_bits_left(gb) < 6 * (res == 0x3F) + s->spillover_bitsize) |