| Message ID | 20181215014444.8313-2-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 092cb17983b2660b4e050a05c739060f8e03d27a |
| Headers | show |
On 12/15/18, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: OOM > Fixes: > 10307/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5393974559244288 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/rasc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c > index 67351dfd19..1b607ac31e 100644 > --- a/libavcodec/rasc.c > +++ b/libavcodec/rasc.c > @@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx, > bytestream2_skip(gb, 8); > compression = bytestream2_get_le32(gb); > > - if (nb_moves > INT32_MAX / 16) > + if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * > avctx->height) > return AVERROR_INVALIDDATA; > > uncompressed_size = 16 * nb_moves; > -- > 2.19.2 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > OK
On Sat, Dec 15, 2018 at 09:31:21AM +0100, Paul B Mahol wrote: > On 12/15/18, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: OOM > > Fixes: > > 10307/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5393974559244288 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/rasc.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c > > index 67351dfd19..1b607ac31e 100644 > > --- a/libavcodec/rasc.c > > +++ b/libavcodec/rasc.c > > @@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx, > > bytestream2_skip(gb, 8); > > compression = bytestream2_get_le32(gb); > > > > - if (nb_moves > INT32_MAX / 16) > > + if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * > > avctx->height) > > return AVERROR_INVALIDDATA; > > > > uncompressed_size = 16 * nb_moves; > > -- > > 2.19.2 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > OK will apply thx [...]
diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 67351dfd19..1b607ac31e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx, bytestream2_skip(gb, 8); compression = bytestream2_get_le32(gb); - if (nb_moves > INT32_MAX / 16) + if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height) return AVERROR_INVALIDDATA; uncompressed_size = 16 * nb_moves;
Fixes: OOM Fixes: 10307/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5393974559244288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)