avcodec/ralf: Check num_blocks before use

Fixes: out of array access
Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 2 insertions, 0 deletions

diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index a57966a298..406326779a 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
     init_get_bits(&gb, src + 2, table_size);
     ctx->num_blocks = 0;
     while (get_bits_left(&gb) > 0) {
+        if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size))
+            return AVERROR_INVALIDDATA;
         ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels);
         if (get_bits1(&gb)) {
             ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);