From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 15 Apr 2021 18:08:22 +0000 (+0200)
Subject: avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=7b3881f0da6da00cb6b5b123328e2fbfca936c47;p=ffmpeg

avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()

Fixes: Timeout
Fixes: 32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---

diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index 3dd64cf7306..7bf11d80ca1 100644
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -227,7 +227,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
             run       = 0;
             mode      = !mode;
         } else if ((int)t == -1) {
-            if (show_bits(gb, 12) == 15) {
+            if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
                 int ret;
                 skip_bits(gb, 12);
                 ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode);