Browse code
avcodec/qdm2: Do not read out of array in fix_coding_method_array()
Instead we ask for a sample, its unclear what to do in this case.
Fixes: index 30 out of bounds for type 'int8_t [30][64]'
Fixes: 15339/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5749441484554240
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae021c1239ec3bc0a30dc5a4720569071599ece4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2019/06/24 08:01:02Showing 1 changed files
| ... | ... |
@@ -408,7 +408,12 @@ static int fix_coding_method_array(int sb, int channels, |
| 408 | 408 |
} |
| 409 | 409 |
for (k = 0; k < run; k++) {
|
| 410 | 410 |
if (j + k < 128) {
|
| 411 |
- if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) {
|
|
| 411 |
+ int sbjk = sb + (j + k) / 64; |
|
| 412 |
+ if (sbjk > 29) {
|
|
| 413 |
+ SAMPLES_NEEDED |
|
| 414 |
+ continue; |
|
| 415 |
+ } |
|
| 416 |
+ if (coding_method[ch][sbjk][(j + k) % 64] > coding_method[ch][sb][j]) {
|
|
| 412 | 417 |
if (k > 0) {
|
| 413 | 418 |
SAMPLES_NEEDED |
| 414 | 419 |
//not debugged, almost never used |