From 76cc0f0f673353cd4746cd3b83838ae335e5d9ed Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 9 Feb 2018 15:27:41 +0100
Subject: [PATCH] avcodec/utvideodec: Add several out of array read related
 checks

Fixes: OV_decode_plane.avi

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/utvideodec.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 1bcd14e74c6..c5f55349643 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -268,6 +268,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
             send   = (height * (slice + 1) / c->slices) & cmask;
             dest   = dst + sstart * stride;
 
+            if (3 * ((dst + send * stride - dest + 7)/8) > get_bits_left(&cbit))
+                return AVERROR_INVALIDDATA;
+
             for (p = dest; p < dst + send * stride; p += 8) {
                 int bits = get_bits_le(&cbit, 3);
 
@@ -277,6 +280,9 @@ static int decode_plane(UtvideoContext *c, int plane_no,
                     uint32_t sub = 0x80 >> (8 - (bits + 1)), add;
                     int k;
 
+                    if ((bits + 1) * 8 > get_bits_left(&pbit))
+                        return AVERROR_INVALIDDATA;
+
                     for (k = 0; k < 8; k++) {
 
                         p[k] = get_bits_le(&pbit, bits + 1);
@@ -639,9 +645,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 c->packed_stream[i][j] = packed_stream;
                 c->packed_stream_size[i][j] = bytestream2_get_le32(&pb);
-                left -= c->packed_stream_size[i][j];
-                if (left < 0)
+                if (c->packed_stream_size[i][j] > left)
                     return AVERROR_INVALIDDATA;
+                left -= c->packed_stream_size[i][j];
                 packed_stream += c->packed_stream_size[i][j];
             }
         }
@@ -652,9 +658,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 c->control_stream[i][j] = control_stream;
                 c->control_stream_size[i][j] = bytestream2_get_le32(&pb);
-                left -= c->control_stream_size[i][j];
-                if (left < 0)
+                if (c->control_stream_size[i][j] > left)
                     return AVERROR_INVALIDDATA;
+                left -= c->control_stream_size[i][j];
                 control_stream += c->control_stream_size[i][j];
             }
         }
-- 
2.39.2