From e7755b433e913e32bb061f17d5ecfcbcfef995b7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 11 Jan 2023 23:05:55 +0100
Subject: avcodec/eatgq: : Check index increments in tgq_decode_block()

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/eatgq.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
index 89e9f20880..01e1acd4e4 100644
--- a/libavcodec/eatgq.c
+++ b/libavcodec/eatgq.c
@@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
+static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
 {
     const uint8_t *scantable = ff_zigzag_direct;
     int i, j, value;
@@ -64,6 +64,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
     for (i = 1; i < 64;) {
         switch (show_bits(gb, 3)) {
         case 4:
+            if (i >= 63)
+                return AVERROR_INVALIDDATA;
             block[scantable[i++]] = 0;
         case 0:
             block[scantable[i++]] = 0;
@@ -73,6 +75,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         case 1:
             skip_bits(gb, 2);
             value = get_bits(gb, 6);
+            if (value > 64 - i)
+                return AVERROR_INVALIDDATA;
             for (j = 0; j < value; j++)
                 block[scantable[i++]] = 0;
             break;
@@ -100,6 +104,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         }
     }
     block[0] += 128 << 4;
+    return 0;
 }
 
 static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
@@ -160,8 +165,11 @@ static int tgq_decode_mb(TgqContext *s, GetByteContext *gbyte,
         if (ret < 0)
             return ret;
 
-        for (i = 0; i < 6; i++)
-            tgq_decode_block(s, s->block[i], &gb);
+        for (i = 0; i < 6; i++) {
+            int ret = tgq_decode_block(s, s->block[i], &gb);
+            if (ret < 0)
+                return ret;
+        }
         tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y);
         bytestream2_skip(gbyte, mode);
     } else {
-- 
cgit v1.2.3