avcodec/wmv2dec: skip frames that have only skiped MBs

This requires us to pre-parse the skip data, as we want to detect this before allocating all the arrays Fixes: Timeout Fixes: 9708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5729709861109760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-08-26 15:57:54 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-09-03 00:01:32 +0200
commit: 0c88a5d3eb8cd6891a52eb285b37b1458f0b4b16 (patch)
tree: ef7dcf8179e2aa559c89d583ded05aa9b5c13399 /libavcodec/wmv2dec.c
parent: 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c
index ea0e0594b5..4f97d9227c 100644
--- a/libavcodec/wmv2dec.c
+++ b/libavcodec/wmv2dec.c
@@ -141,6 +141,21 @@ int ff_wmv2_decode_picture_header(MpegEncContext *s)
     if (s->qscale <= 0)
         return AVERROR_INVALIDDATA;
 
+    if (s->pict_type != AV_PICTURE_TYPE_I && show_bits(&s->gb, 1)) {
+        GetBitContext gb = s->gb;
+        int skip_type = get_bits(&gb, 2);
+        int run = skip_type == SKIP_TYPE_COL ? s->mb_width : s->mb_height;
+
+        while (run > 0) {
+            int block = FFMIN(run, 25);
+            if (get_bits(&gb, block) + 1 != 1<<block)
+                break;
+            run -= block;
+        }
+        if (!run)
+            return FRAME_SKIPPED;
+    }
+
     return 0;
 }
author	Michael Niedermayer <michael@niedermayer.cc>	2018-08-26 15:57:54 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-09-03 00:01:32 +0200
commit	0c88a5d3eb8cd6891a52eb285b37b1458f0b4b16 (patch)
tree	ef7dcf8179e2aa559c89d583ded05aa9b5c13399 /libavcodec/wmv2dec.c
parent	93a203662f6ff1bb9fd2e966bf7df27e9bdb1916 (diff)