diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2020-05-11 22:17:43 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-05-12 21:39:13 +0200 |
commit | f0c0471075fe52ed31c46e038df4280aef5b67a1 (patch) | |
tree | 007c207206804575488524a7a7870aa71e7fb4ea /libavcodec/ralf.c | |
parent | a035fd88ae7341a05c01f3b393921933e4ea9665 (diff) | |
download | ffmpeg-f0c0471075fe52ed31c46e038df4280aef5b67a1.tar.gz |
avcodec/ralf: Check num_blocks before use
Fixes: out of array access
Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/ralf.c')
-rw-r--r-- | libavcodec/ralf.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 08e8043e30..0080b23941 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9); |