[FFmpeg-cvslog] avcodec/4xm: Check index in decode_i_block() also in the path where its not used.

Thu Sep 26 22:06:25 EEST 2019

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Sep 17 19:53:45 2019 +0200| [87ddf9f1ef17726fd4235f2e7aed8334d0ff231b] | committer: Michael Niedermayer

avcodec/4xm: Check index in decode_i_block() also in the path where its not used.

Fixes: Infinite loop
Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int'
Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584
Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680
Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=87ddf9f1ef17726fd4235f2e7aed8334d0ff231b
---

 libavcodec/4xm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 1f4e2aee24..336c651d31 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block)
             break;
         if (code == 0xf0) {
             i += 16;
+            if (i >= 64) {
+                av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i);
+                return 0;
+            }
         } else {
             if (code & 0xf) {
                 level = get_xbits(&f->gb, code & 0xf);

