[FFmpeg-cvslog] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul  3 13:31:19 2022 +0200| [b4431399ec1e10afff458cf1ffae2a75987d725a] | committer: Michael Niedermayer

avcodec/ffv1dec: Limit golomb rice coded slices to width 8M

This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b4431399ec1e10afff458cf1ffae2a75987d725a
---

 libavcodec/ffv1dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 365f8b77a7..7731c15c87 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -187,6 +187,9 @@ static int decode_slice_header(const FFV1Context *f, FFV1Context *fs)
          || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
         return -1;
 
+    if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+        return AVERROR_INVALIDDATA;
+
     for (i = 0; i < f->plane_count; i++) {
         PlaneContext * const p = &fs->plane[i];
         int idx = get_symbol(c, state, 0);