diff mbox

[FFmpeg-devel,2/2] avcodec/dxv: Check that there is enough data to decompress

Message ID 20181201211620.21921-2-michael@niedermayer.cc
State Accepted
Commit 2bc3811c0d6b34e43a55a7541722761f548628d0
Headers show

Commit Message

Michael Niedermayer Dec. 1, 2018, 9:16 p.m. UTC 
Fixes: Timeout
Fixes: 10979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-6178582203203584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Michael Niedermayer Dec. 8, 2018, 2:14 a.m. UTC | #1 
On Sat, Dec 01, 2018 at 10:16:20PM +0100, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 10979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-6178582203203584
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/dxv.c | 6 ++++++
>  1 file changed, 6 insertions(+)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 08aca73b1f..bf53d7d706 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -1192,6 +1192,12 @@  static int dxv_decode(AVCodecContext *avctx, void *data,
     ret = decompress_tex(avctx);
     if (ret < 0)
         return ret;
+    {
+        int w_block = avctx->coded_width / ctx->texture_block_w;
+        int h_block = avctx->coded_height / ctx->texture_block_h;
+        if (w_block * h_block * ctx->tex_step > ctx->tex_size * 8LL)
+            return AVERROR_INVALIDDATA;
+    }
 
     tframe.f = data;
     ret = ff_thread_get_buffer(avctx, &tframe, 0);