| Message ID | 20190123011020.5726-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | f4079d5174c20eddbc99eef6ebe98d411f8014c5 |
| Headers | show |
On Wed, Jan 23, 2019 at 02:10:18AM +0100, Michael Niedermayer wrote: > We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet > that the data is invalid. > > Fixes: Out of memory > Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/rasc.c | 2 ++ > 1 file changed, 2 insertions(+) will apply patchset [...]
diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 1b607ac31e..6e32c1540e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx, compression = bytestream2_get_le32(gb); if (compression == 1) { + if (w * h * s->bpp * 3 < uncompressed_size) + return AVERROR_INVALIDDATA; ret = decode_zlib(avctx, avpkt, size, uncompressed_size); if (ret < 0) return ret;
We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet that the data is invalid. Fixes: Out of memory Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rasc.c | 2 ++ 1 file changed, 2 insertions(+)