From 426c52c2ce47ea1dc066e6f6a3e0095de932619c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 30 Mar 2021 13:17:09 +0200
Subject: [PATCH] avcodec/lscrdec: Check length in decode_idat()

Fixes: out of array access
Fixes: 32264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-6684504010915840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c01cd2a8b2a67da975d51fdf03f18c502df2e13c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lscrdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/lscrdec.c b/libavcodec/lscrdec.c
index f5cfe1fa04..042da84bf9 100644
--- a/libavcodec/lscrdec.c
+++ b/libavcodec/lscrdec.c
@@ -76,6 +76,10 @@ static int decode_idat(LSCRContext *s, int length)
     int ret;
     s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
     s->zstream.next_in  = s->gb.buffer;
+
+    if (length <= 0)
+        return AVERROR_INVALIDDATA;
+
     bytestream2_skip(&s->gb, length);
 
     /* decode one line if possible */