avcodec/ituh263dec: Check cbpy in ff_h263_decode_mb()

Fixes: 618/clusterfuzz-testcase-6594990333493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-02-20 00:49:03 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-02-20 00:49:44 +0100
commit: b7d9b4a1f1fcd01084ccbec6f7ef32c853681833 (patch)
tree: 32f62998927707222c99460ad3702b963f004707 /libavcodec/ituh263dec.c
parent: c11d3634b07b4aa71f75478aa1bcb63b0c22e030 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c
index 2e0f395c9b..73aaa1daf8 100644
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -717,6 +717,11 @@ int ff_h263_decode_mb(MpegEncContext *s,
             pb_mv_count = h263_get_modb(&s->gb, s->pb_frame, &cbpb);
         cbpy = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
 
+        if (cbpy < 0) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbpy damaged at %d %d\n", s->mb_x, s->mb_y);
+            return SLICE_ERROR;
+        }
+
         if(s->alt_inter_vlc==0 || (cbpc & 3)!=3)
             cbpy ^= 0xF;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-02-20 00:49:03 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-02-20 00:49:44 +0100
commit	b7d9b4a1f1fcd01084ccbec6f7ef32c853681833 (patch)
tree	32f62998927707222c99460ad3702b963f004707 /libavcodec/ituh263dec.c
parent	c11d3634b07b4aa71f75478aa1bcb63b0c22e030 (diff)