avcodec/midivid: Check vector index

Fixes: out of array read Fixes: 20494/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-5681452423577600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-02-09 16:53:15 +0300
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-02-10 01:33:18 +0300
commit: b0eec1391e1daeade456698b1aee9b2d43a6f538 (patch)
tree: b1c5f0df2090c23457b6be4193b395784cba8fa8 /libavcodec/midivid.c
parent: ac5d5046c8ef4988b36734effe42a2fae8547ce1 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c
index bb5105bd57..8d4c3b369e 100644
--- a/libavcodec/midivid.c
+++ b/libavcodec/midivid.c
@@ -126,6 +126,8 @@ static int decode_mvdv(MidiVidContext *s, AVCodecContext *avctx, AVFrame *frame)
                 idx9bits--;
                 idx = bytestream2_get_byte(gb) | (((idx9val >> (7 - idx9bits)) & 1) << 8);
             }
+            if (idx >= nb_vectors)
+                return AVERROR_INVALIDDATA;
 
             dsty[x  +frame->linesize[0]] = vec[idx * 12 + 0];
             dsty[x+1+frame->linesize[0]] = vec[idx * 12 + 3];
author	Michael Niedermayer <michael@niedermayer.cc>	2020-02-09 16:53:15 +0300
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-02-10 01:33:18 +0300
commit	b0eec1391e1daeade456698b1aee9b2d43a6f538 (patch)
tree	b1c5f0df2090c23457b6be4193b395784cba8fa8 /libavcodec/midivid.c
parent	ac5d5046c8ef4988b36734effe42a2fae8547ce1 (diff)