avcodec/faxcompr: Add missing runs check in decode_uncompressed()

Fixes out of array access
Fixes: 54e488b9da4abbceaf405d6492515697/asan_heap-oob_32769b0_160_a8755eb08ee8f9579348501945a33955.TIF

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index 80df418..2a1d2bc 100644 (file)
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -189,6 +189,10 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb,
     *mode = !*mode;
     if (newmode != *mode) { //FIXME CHECK
         *(*runs)++ = 0;
+        if (*runs >= runend) {
+            av_log(avctx, AV_LOG_ERROR, "uncompressed run overrun\n");
+            return AVERROR_INVALIDDATA;
+        }
         *mode = newmode;
     }
     return 0;