avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/escape124: Check buf_size against num_superblocks
6677c986 · Michael Niedermayer · e7c0b44e · 6677c986
Commit 6677c986 authored 6 years ago by Michael Niedermayer
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,

    // This call also guards the potential depth reads for the
    // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skiped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
        return -1;

    frame_flags = get_bits_long(&gb, 32);