diff mbox

[FFmpeg-devel,1/4] avcodec/wmavoice: Check remaining input in parse_packet_header()

Message ID 20191123172119.20709-1-michael@niedermayer.cc
State Accepted
Commit 19c41969b26d07519fff8182a0d3266cdb712078
Headers show

Commit Message

Michael Niedermayer Nov. 23, 2019, 5:21 p.m. UTC 
Fixes: Infinite loop
Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wmavoice.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Michael Niedermayer Dec. 14, 2019, 9:39 p.m. UTC | #1 
On Sat, Nov 23, 2019 at 06:21:16PM +0100, Michael Niedermayer wrote:
> Fixes: Infinite loop
> Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wmavoice.c | 3 +++
>  1 file changed, 3 insertions(+)

will apply patchset

[...]
diff mbox

Patch

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index 4c147fe04f..afd6b32780 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1843,6 +1843,9 @@  static int parse_packet_header(WMAVoiceContext *s)
     skip_bits(gb, 4);          // packet sequence number
     s->has_residual_lsps = get_bits1(gb);
     do {
+        if (get_bits_left(gb) < 6 + s->spillover_bitsize)
+            return AVERROR_INVALIDDATA;
+
         res = get_bits(gb, 6); // number of superframes per packet
                                // (minus first one if there is spillover)
         n_superframes += res;