avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
index eb051eba54a5a006aafc86f089b3b940cf2db096..14f939633295dfeed5c1e492eabfadbc2a066879 100644 (file)
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
 
     // This call also guards the potential depth reads for the
     // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skiped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
         return -1;
 
     frame_flags = get_bits_long(&gb, 32);