| Message ID | 20190121000841.1370-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | fcbda8af175a1f305c46d6d46a4f90be4aa630ae |
| Headers | show |
On Mon, Jan 21, 2019 at 01:08:41AM +0100, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208 > Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/huffyuvdec.c | 5 +++++ > 1 file changed, 5 insertions(+) will apply [...]
diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 8226c07743..27f650d7bf 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (nb_slices > 1) { slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8); slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4); + + if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) || + slice_offset + (int64_t)slice_size > buf_size) + return AVERROR_INVALIDDATA; + y_offset = height - (slice + 1) * slice_height; s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer, (const uint32_t *)(buf + slice_offset), slice_size / 4);
Fixes: out of array access Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208 Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/huffyuvdec.c | 5 +++++ 1 file changed, 5 insertions(+)