From fb7b0347b3317d606af2082ccd029e38a2ff6cb0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 15 Sep 2018 00:09:45 +0200
Subject: avcodec/mpeg4videodec: Check rice_prefix_code

Fixes: out of array read
Fixes: 10064/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5766801384800256
Fixes: 10225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5071833448054784
Fixes: 10261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5115048024866816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4videodec.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/mpeg4videodec.c')

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 4c77081237..853c6d9132 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1968,6 +1968,10 @@ static int mpeg4_decode_dpcm_macroblock(MpegEncContext *s, int16_t macroblock[25
             if (rice_prefix_code == 11)
                 dpcm_residual = get_bits(&s->gb, s->avctx->bits_per_raw_sample);
             else {
+                if (rice_prefix_code == 12) {
+                    av_log(s->avctx, AV_LOG_ERROR, "Forbidden rice_prefix_code\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 rice_suffix_code = get_bitsz(&s->gb, rice_parameter);
                 dpcm_residual = (rice_prefix_code << rice_parameter) + rice_suffix_code;
             }
-- 
cgit v1.2.3