avcodec/ffv1dec: Check for bitstream end in decode_line()

Fixes: timeout
Fixes: 2971/clusterfuzz-testcase-6130678276030464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 20921c6adfb3554988b70cd362808c0daa58440c..b13ecd3eabba0fe4ebc3dd1fc65f4c305ead279d 100644 (file)
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -93,6 +93,19 @@ static inline int get_vlc_symbol(GetBitContext *gb, VlcState *const state,
     return ret;
 }
 
+static int is_input_end(FFV1Context *s)
+{
+    if (s->ac != AC_GOLOMB_RICE) {
+        RangeCoder *const c = &s->c;
+        if (c->overread > MAX_OVERREAD)
+            return AVERROR_INVALIDDATA;
+    } else {
+        if (get_bits_left(&s->gb) < 1)
+            return AVERROR_INVALIDDATA;
+    }
+    return 0;
+}
+
 #define TYPE int16_t
 #define RENAME(name) name
 #include "ffv1dec_template.c"
@@ -103,7 +116,7 @@ static inline int get_vlc_symbol(GetBitContext *gb, VlcState *const state,
 #define RENAME(name) name ## 32
 #include "ffv1dec_template.c"
 
-static void decode_plane(FFV1Context *s, uint8_t *src,
+static int decode_plane(FFV1Context *s, uint8_t *src,
                          int w, int h, int stride, int plane_index,
                          int pixel_stride)
 {
@@ -127,11 +140,15 @@ static void decode_plane(FFV1Context *s, uint8_t *src,
 
 // { START_TIMER
         if (s->avctx->bits_per_raw_sample <= 8) {
-            decode_line(s, w, sample, plane_index, 8);
+            int ret = decode_line(s, w, sample, plane_index, 8);
+            if (ret < 0)
+                return ret;
             for (x = 0; x < w; x++)
                 src[x*pixel_stride + stride * y] = sample[1][x];
         } else {
-            decode_line(s, w, sample, plane_index, s->avctx->bits_per_raw_sample);
+            int ret = decode_line(s, w, sample, plane_index, s->avctx->bits_per_raw_sample);
+            if (ret < 0)
+                return ret;
             if (s->packed_at_lsb) {
                 for (x = 0; x < w; x++) {
                     ((uint16_t*)(src + stride*y))[x*pixel_stride] = sample[1][x];
@@ -144,6 +161,7 @@ static void decode_plane(FFV1Context *s, uint8_t *src,
         }
 // STOP_TIMER("decode-line") }
     }
+    return 0;
 }
 
 static int decode_slice_header(FFV1Context *f, FFV1Context *fs)

diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c
index d41d807e64ceae2222b6418c53149b7c2918620a..37df7667737d3185f14b1f1e0c8fca6afd07f51a 100644 (file)
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -20,7 +20,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
-static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w,
+static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w,
                                                  TYPE *sample[2],
                                                  int plane_index, int bits)
 {
@@ -31,6 +31,9 @@ static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w,
     int run_mode  = 0;
     int run_index = s->run_index;
 
+    if (is_input_end(s))
+        return AVERROR_INVALIDDATA;
+
     if (s->slice_coding_mode == 1) {
         int i;
         for (x = 0; x < w; x++) {
@@ -41,7 +44,7 @@ static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w,
             }
             sample[1][x] = v;
         }
-        return;
+        return 0;
     }
 
     for (x = 0; x < w; x++) {
@@ -101,6 +104,7 @@ static av_always_inline void RENAME(decode_line)(FFV1Context *s, int w,
         sample[1][x] = av_mod_uintp2(RENAME(predict)(sample[1] + x, sample[0] + x) + (SUINT)diff, bits);
     }
     s->run_index = run_index;
+    return 0;
 }
 
 static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int h, int stride[3])