@@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
* @param[in] avctx pointer to the AVCodecContext
* @return result code: 0 = OK, negative number = error
*/
-static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
+static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
AVCodecContext *avctx)
{
int plane, band_num, indx, transform_id, scan_indx;
int i;
int quant_mat;
+ IVIBandDesc temp_band, *band = &temp_band;
+ memcpy(&temp_band, arg_band, sizeof(temp_band));
plane = get_bits(&ctx->gb, 2);
band_num = get_bits(&ctx->gb, 4);
@@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
/* decode block huffman codebook */
if (!get_bits1(&ctx->gb))
- band->blk_vlc.tab = ctx->blk_vlc.tab;
+ arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
else
if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF,
- &band->blk_vlc, avctx))
+ &arg_band->blk_vlc, avctx))
return AVERROR_INVALIDDATA;
/* select appropriate rvmap table for this band */
@@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
return AVERROR_INVALIDDATA;
}
+ band->blk_vlc = arg_band->blk_vlc;
+ memcpy(arg_band, band, sizeof(*arg_band));
+
return 0;
}
This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/indeo4.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)