From 079de87687678ce518da9aae45fdde94252d6d89 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Thu, 3 Aug 2017 13:59:22 +0300
Subject: [PATCH] Check for heightLayer out of range

Alternatively, the bits read in CProgramConfig_ReadHeightExt could
be checked right there instead.

Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libMpegTPDec/src/tpdec_asc.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index b0f1c6a..f3ea58a 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -717,6 +717,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
           /* search in front channels */
           for (i = 0; i < pPce->NumFrontChannelElements; i++) {
             int heightLayer = pPce->FrontElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             if (isCpe == pPce->FrontElementIsCpe[i] &&
                 pPce->FrontElementTagSelect[i] == tag) {
               int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@@ -773,6 +775,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
           /* search in side channels */
           for (i = 0; i < pPce->NumSideChannelElements; i++) {
             int heightLayer = pPce->SideElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             if (isCpe == pPce->SideElementIsCpe[i] &&
                 pPce->SideElementTagSelect[i] == tag) {
               int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@@ -830,6 +834,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
           /* search in back channels */
           for (i = 0; i < pPce->NumBackChannelElements; i++) {
             int heightLayer = pPce->BackElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             if (isCpe == pPce->BackElementIsCpe[i] &&
                 pPce->BackElementTagSelect[i] == tag) {
               int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@@ -891,18 +897,24 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
                           channels/elements at normal height */
           for (i = 0; i < pPce->NumFrontChannelElements; i += 1) {
             int heightLayer = pPce->FrontElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             ec[heightLayer] += 1;
             cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1;
           }
           /* Count side channels/elements at normal height */
           for (i = 0; i < pPce->NumSideChannelElements; i += 1) {
             int heightLayer = pPce->SideElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             ec[heightLayer] += 1;
             cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1;
           }
           /* Count back channels/elements at normal height */
           for (i = 0; i < pPce->NumBackChannelElements; i += 1) {
             int heightLayer = pPce->BackElementHeightInfo[i];
+            if (heightLayer >= PC_NUM_HEIGHT_LAYER)
+              return 0;
             ec[heightLayer] += 1;
             cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1;
           }