avcodec/mv30: Check remaining mask in decode_inter()

Fixes: timeout (too long -> 4sec)
Fixes: 25129/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5642089713631232
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c
index c83ba7ffbdb79794ae5be853491221b3b1e7b6dc..0dcfef23e0d92aeff7a6b1e0f42fb07c0327a857 100644 (file)
--- a/libavcodec/mv30.c
+++ b/libavcodec/mv30.c
@@ -531,8 +531,13 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb,
         for (int x = 0; x < avctx->width; x += 16) {
             if (cnt >= 4)
                 cnt = 0;
-            if (cnt == 0)
+            if (cnt == 0) {
+                if (get_bits_left(&mask) < 8) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                 flags = get_bits(&mask, 8);
+            }
 
             dst[0] = frame->data[0] + linesize[0] * y + x;
             dst[1] = frame->data[0] + linesize[0] * y + x + 8;