avcodec/scpr: Fix multiple runtime error: index 256 out of bounds for type 'unsigned int [256]'

Fixes: 1519/clusterfuzz-testcase-minimized-5286680976162816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2171dfae8c065878a2e130390eb78cf2947a5b69) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-05-13 15:39:32 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-05-14 00:21:50 +0200
commit: d1dd90ae5425402fe176c2400351395b3165c309 (patch)
tree: e3af5d3f87d86619de7426e75247021bdbba7968
parent: 00a9eaff97881c40d2d67379d231e47739afe2fc (diff)
download: ffmpeg-d1dd90ae5425402fe176c2400351395b3165c309.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index ea3beae29d..286fffbf35 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -261,6 +261,9 @@ static int decode_unit(SCPRContext *s, PixelModel *pixel, unsigned step, unsigne
             break;
         c++;
     }
+    if (x >= 16 || c >= 256) {
+        return AVERROR_INVALIDDATA;
+    }
 
     if ((ret = s->decode(gb, rc, cumfr, cnt_c, totfr)) < 0)
         return ret;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-05-13 15:39:32 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-05-14 00:21:50 +0200
commit	d1dd90ae5425402fe176c2400351395b3165c309 (patch)
tree	e3af5d3f87d86619de7426e75247021bdbba7968
parent	00a9eaff97881c40d2d67379d231e47739afe2fc (diff)
download	ffmpeg-d1dd90ae5425402fe176c2400351395b3165c309.tar.gz