avcodec/mv30: Check remaining mask in decode_inter()

Fixes: timeout (too long -> 4sec) Fixes: 25129/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5642089713631232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mv30: Check remaining mask in decode_inter()
Fixes: timeout (too long -> 4sec) Fixes: 25129/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5642089713631232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
142ae27b · Michael Niedermayer · c467adf3 · 142ae27b
Commit 142ae27b authored Sep 13, 2020 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

mv30.c libavcodec/mv30.c +6 -1

No files found.
--- a/libavcodec/mv30.c
+++ b/libavcodec/mv30.c
@@ -531,8 +531,13 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb,
        for (int x = 0; x < avctx->width; x += 16) {
            if (cnt >= 4)
                cnt = 0;
-            if (cnt == 0)
+            if (cnt == 0) {
+                if (get_bits_left(&mask) < 8) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                flags = get_bits(&mask, 8);
+            }

            dst[0] = frame->data[0] + linesize[0] * y + x;
            dst[1] = frame->data[0] + linesize[0] * y + x + 8;