avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()

Fixes: Timeout (149sec ->1sec) Fixes: 17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-09-24 23:33:03 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-10-16 19:17:57 +0200
commit: e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2 (patch)
tree: 879c2bb280578588ba5bd57b6f1736a41fee92a3
parent: ea770eb55941a6ed7b86828d6ea2f4e718a4b337 (diff)
download: ffmpeg-streaming-e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2.zip
ffmpeg-streaming-e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2.tar.gz
2 files changed, 13 insertions, 3 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 1c4f718..436f902 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1101,11 +1101,16 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 decode_mb_p(h, P_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag;
                 if (mb_type > P_8X8)
                     ret = decode_mb_i(h, mb_type - P_8X8 - 1);
@@ -1119,11 +1124,16 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 ret = decode_mb_b(h, B_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag;
                 if (mb_type > B_8X8)
                     ret = decode_mb_i(h, mb_type - B_8X8 - 1);
diff --git a/tests/ref/fate/cavs b/tests/ref/fate/cavs
index ddcbe04..4c3d127 100644
--- a/tests/ref/fate/cavs
+++ b/tests/ref/fate/cavs
@@ -172,4 +172,4 @@
 0,        166,        166,        1,   622080, 0x05496a5d
 0,        167,        167,        1,   622080, 0xdcb4cee8
 0,        168,        168,        1,   622080, 0xb41172e5
-0,        169,        169,        1,   622080, 0x56c72478
+0,        169,        169,        1,   622080, 0x26146e0b
author	Michael Niedermayer <michael@niedermayer.cc>	2019-09-24 23:33:03 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-10-16 19:17:57 +0200
commit	e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2 (patch)
tree	879c2bb280578588ba5bd57b6f1736a41fee92a3
parent	ea770eb55941a6ed7b86828d6ea2f4e718a4b337 (diff)
download	ffmpeg-streaming-e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2.zip ffmpeg-streaming-e7113704b2ae6bcf4ab8ed3fbb098c9aab0d5df2.tar.gz