avcodec/ralf: Check num_blocks before use

Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-05-11 22:17:43 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-07-02 19:55:09 +0200
commit: 68ecaacbac77c2fe80f5bebfa11445f982fe7492 (patch)
tree: 7fd32853d045471fd9b531bac8783e8d18f65445
parent: 9aaf2c77dbd245b6796c54100e13f59dcf625a7c (diff)
download: ffmpeg-68ecaacbac77c2fe80f5bebfa11445f982fe7492.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index a57966a298..406326779a 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     init_get_bits(&gb, src + 2, table_size);
     ctx->num_blocks = 0;
     while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
         ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels);
         if (get_bits1(&gb)) {
             ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
author	Michael Niedermayer <michael@niedermayer.cc>	2020-05-11 22:17:43 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-07-02 19:55:09 +0200
commit	68ecaacbac77c2fe80f5bebfa11445f982fe7492 (patch)
tree	7fd32853d045471fd9b531bac8783e8d18f65445
parent	9aaf2c77dbd245b6796c54100e13f59dcf625a7c (diff)
download	ffmpeg-68ecaacbac77c2fe80f5bebfa11445f982fe7492.tar.gz