avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads

Fixes: 16144/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5638618940440576
Fixes: out of array read
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c
index 89cbbb41b6898e74c7f11e21445d328dd4729746..3c53b8fdaf243f16de6c13dddaad05c0925dd58c 100644 (file)
--- a/libavcodec/libvorbisdec.c
+++ b/libavcodec/libvorbisdec.c
@@ -64,22 +64,25 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
         }
     } else if(*p == 2) {
         unsigned int offset = 1;
+        unsigned int sizesum = 1;
         p++;
         for(i=0; i<2; i++) {
             hsizes[i] = 0;
-            while((*p == 0xFF) && (offset < avccontext->extradata_size)) {
+            while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) {
                 hsizes[i] += 0xFF;
                 offset++;
+                sizesum += 1 + 0xFF;
                 p++;
             }
-            if(offset >= avccontext->extradata_size - 1) {
+            hsizes[i] += *p;
+            offset++;
+            sizesum += 1 + *p;
+            if(sizesum > avccontext->extradata_size) {
                 av_log(avccontext, AV_LOG_ERROR,
                        "vorbis header sizes damaged\n");
                 ret = AVERROR_INVALIDDATA;
                 goto error;
             }
-            hsizes[i] += *p;
-            offset++;
             p++;
         }
         hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset;