From bb0a684d93f793457f7bff3940a1398eb9e91703 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 8 Nov 2023 01:44:07 +0100
Subject: [PATCH] avcodec/4xm: Check for cfrm exhaustion

Fixes: index -1 out of bounds for type 'CFrameBuffer [100]'
Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/4xm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 158b37a38b..cfe65c178a 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -885,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
         }
 
         if (i >= CFRAME_BUFFER_COUNT) {
+            if (free_index < 0)
+                return AVERROR_INVALIDDATA;
             i             = free_index;
             f->cfrm[i].id = id;
         }