avcodec/bintext: Check input size before allocating the input image

Fixes: Timeout
Fixes: 9795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-5768631928487936
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c
index d967317671b89a008b98b7d065851d20531592a3..b14a2a9c29618124cbf4cfbe472ae77d5909a033 100644 (file)
--- a/libavcodec/bintext.c
+++ b/libavcodec/bintext.c
@@ -146,6 +146,9 @@ static int decode_frame(AVCodecContext *avctx,
     const uint8_t *buf_end = buf+buf_size;
     int ret;
 
+    if ((avctx->width / FONT_WIDTH) * (avctx->height / s->font_height) / 256 > buf_size)
+        return AVERROR_INVALIDDATA;
+
     s->x = s->y = 0;
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
         return ret;