avcodec/arbc: Check nb_segments before allocating and copying frame

Fixes: Timeout (30sec -> 2sec)
Fixes: 13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c
index 11942e1983516bbaf4ed039a22aeee9c452c7ada..a8b0bb0d8bcc1e0fd86128f38cdf49e096483e31 100644 (file)
--- a/libavcodec/arbc.c
+++ b/libavcodec/arbc.c
@@ -117,6 +117,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
     if (avpkt->size < 10)
         return AVERROR_INVALIDDATA;
 
+    bytestream2_init(&s->gb, avpkt->data, avpkt->size);
+    bytestream2_skip(&s->gb, 8);
+    nb_segments = bytestream2_get_le16(&s->gb);
+    if (nb_segments == 0)
+        keyframe = 0;
+
+    if (7 * nb_segments > bytestream2_get_bytes_left(&s->gb))
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
         return ret;
 
@@ -126,12 +135,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
             return ret;
     }
 
-    bytestream2_init(&s->gb, avpkt->data, avpkt->size);
-    bytestream2_skip(&s->gb, 8);
-    nb_segments = bytestream2_get_le16(&s->gb);
-    if (nb_segments == 0)
-        keyframe = 0;
-
     for (int i = 0; i < nb_segments; i++) {
         int resolution_flag;
         int fill;