avcodec/exr: Check oe in huf_decode() before use

Fixes: out of array access Fixes: 31386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5773234709594112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-03-30 09:15:27 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-04-01 10:10:21 +0200
commit: 9e8475c7c7a81e8299e88d89981df3c14657fff4 (patch)
tree: 23a23638c99483792d50a3f117db9b9c4df1ffd5
parent: b484e140efb406422eb4cbef0e8ae51bfb54a69d (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 279cfe9412..65e5203c31 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -422,7 +422,12 @@ static int huf_decode(VLC *vlc, GetByteContext *gb, int nbits, int run_sym,
 
         if (x == run_sym) {
             int run = get_bits(&gbit, 8);
-            uint16_t fill = out[oe - 1];
+            uint16_t fill;
+
+            if (oe == 0 || oe + run > no)
+                return AVERROR_INVALIDDATA;
+
+            fill = out[oe - 1];
 
             while (run-- > 0)
                 out[oe++] = fill;
author	Michael Niedermayer <michael@niedermayer.cc>	2021-03-30 09:15:27 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-04-01 10:10:21 +0200
commit	9e8475c7c7a81e8299e88d89981df3c14657fff4 (patch)
tree	23a23638c99483792d50a3f117db9b9c4df1ffd5
parent	b484e140efb406422eb4cbef0e8ae51bfb54a69d (diff)