From f4079d5174c20eddbc99eef6ebe98d411f8014c5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 23 Jan 2019 00:16:02 +0100
Subject: [PATCH] avcodec/rasc: Check uncompressed dlta size

We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet
that the data is invalid.

Fixes: Out of memory
Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rasc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c
index 1b607ac31e..6e32c1540e 100644
--- a/libavcodec/rasc.c
+++ b/libavcodec/rasc.c
@@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx,
     compression = bytestream2_get_le32(gb);
 
     if (compression == 1) {
+        if (w * h * s->bpp * 3 < uncompressed_size)
+            return AVERROR_INVALIDDATA;
         ret = decode_zlib(avctx, avpkt, size, uncompressed_size);
         if (ret < 0)
             return ret;
-- 
GitLab