diff mbox

[FFmpeg-devel] libavcodec/pnm_parser: do not loose skipped parts in reporting of how much was consumed

Message ID 20180904002951.10741-1-michael@niedermayer.cc
State Accepted
Commit 4356e03fd651b0f2b9463c4bfee3d9ec5d819d61
Headers show

Commit Message

Michael Niedermayer Sept. 4, 2018, 12:29 a.m. UTC 
Fixes: Timeout
Fixes: 9759/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PPM_fuzzer-5655277650051072
Fixes: 9753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5764378543521792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pnm_parser.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

Comments

Moritz Barsnick Sept. 4, 2018, 1:40 p.m. UTC | #1 
On Tue, Sep 04, 2018 at 02:29:51 +0200, Michael Niedermayer wrote:
> Subject: [PATCH] libavcodec/pnm_parser: do not loose skipped parts in reporting of how much was consumed
Nit:                                             ^ lose
Michael Niedermayer Sept. 11, 2018, 7:33 p.m. UTC | #2 
On Tue, Sep 04, 2018 at 03:40:43PM +0200, Moritz Barsnick wrote:
> On Tue, Sep 04, 2018 at 02:29:51 +0200, Michael Niedermayer wrote:
> > Subject: [PATCH] libavcodec/pnm_parser: do not loose skipped parts in reporting of how much was consumed
> Nit:                                             ^ lose

will apply with this fixed

thx

[...]
diff mbox

Patch

diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c
index 4bcd0ddd5d..9bf1fdcece 100644
--- a/libavcodec/pnm_parser.c
+++ b/libavcodec/pnm_parser.c
@@ -32,6 +32,7 @@  static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx,
     ParseContext *pc = s->priv_data;
     PNMContext pnmctx;
     int next;
+    int skip = 0;
 
     for (; pc->overread > 0; pc->overread--) {
         pc->buffer[pc->index++]= pc->buffer[pc->overread_index++];
@@ -43,8 +44,8 @@  retry:
         pnmctx.bytestream_end   = pc->buffer + pc->index;
     } else {
         pnmctx.bytestream_start =
-        pnmctx.bytestream       = (uint8_t *) buf; /* casts avoid warnings */
-        pnmctx.bytestream_end   = (uint8_t *) buf + buf_size;
+        pnmctx.bytestream       = (uint8_t *) buf + skip; /* casts avoid warnings */
+        pnmctx.bytestream_end   = (uint8_t *) buf + buf_size - skip;
     }
     if (ff_pnm_decode_header(avctx, &pnmctx) < 0) {
         if (pnmctx.bytestream < pnmctx.bytestream_end) {
@@ -52,8 +53,8 @@  retry:
                 pc->index = 0;
             } else {
                 unsigned step = FFMAX(1, pnmctx.bytestream - pnmctx.bytestream_start);
-                buf      += step;
-                buf_size -= step;
+
+                skip += step;
             }
             goto retry;
         }
@@ -61,9 +62,9 @@  retry:
     } else if (pnmctx.type < 4) {
         next = END_NOT_FOUND;
     } else {
-        next = pnmctx.bytestream - pnmctx.bytestream_start
+        next = pnmctx.bytestream - pnmctx.bytestream_start + skip
                + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
-        if (pnmctx.bytestream_start != buf)
+        if (pnmctx.bytestream_start != buf + skip)
             next -= pc->index;
         if (next > buf_size)
             next = END_NOT_FOUND;