@@ -32,6 +32,7 @@ static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx,
ParseContext *pc = s->priv_data;
PNMContext pnmctx;
int next;
+ int skip = 0;
for (; pc->overread > 0; pc->overread--) {
pc->buffer[pc->index++]= pc->buffer[pc->overread_index++];
@@ -43,8 +44,8 @@ retry:
pnmctx.bytestream_end = pc->buffer + pc->index;
} else {
pnmctx.bytestream_start =
- pnmctx.bytestream = (uint8_t *) buf; /* casts avoid warnings */
- pnmctx.bytestream_end = (uint8_t *) buf + buf_size;
+ pnmctx.bytestream = (uint8_t *) buf + skip; /* casts avoid warnings */
+ pnmctx.bytestream_end = (uint8_t *) buf + buf_size - skip;
}
if (ff_pnm_decode_header(avctx, &pnmctx) < 0) {
if (pnmctx.bytestream < pnmctx.bytestream_end) {
@@ -52,8 +53,8 @@ retry:
pc->index = 0;
} else {
unsigned step = FFMAX(1, pnmctx.bytestream - pnmctx.bytestream_start);
- buf += step;
- buf_size -= step;
+
+ skip += step;
}
goto retry;
}
@@ -61,9 +62,9 @@ retry:
} else if (pnmctx.type < 4) {
next = END_NOT_FOUND;
} else {
- next = pnmctx.bytestream - pnmctx.bytestream_start
+ next = pnmctx.bytestream - pnmctx.bytestream_start + skip
+ av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
- if (pnmctx.bytestream_start != buf)
+ if (pnmctx.bytestream_start != buf + skip)
next -= pc->index;
if (next > buf_size)
next = END_NOT_FOUND;
Fixes: Timeout Fixes: 9759/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PPM_fuzzer-5655277650051072 Fixes: 9753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5764378543521792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/pnm_parser.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)