diff mbox

[FFmpeg-devel] avcodec/escape124: Check buf_size against num_superblocks

Message ID 20180625003312.6929-1-michael@niedermayer.cc
State Accepted
Commit 6677c98626489edfdb4b49b4f66ca91867768a9f
Headers show

Commit Message

Michael Niedermayer June 25, 2018, 12:33 a.m. UTC 
Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/escape124.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer June 25, 2018, 9:01 p.m. UTC | #1 
On Mon, Jun 25, 2018 at 02:33:12AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/escape124.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
index eb051eba54..14f9396332 100644
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -221,7 +221,11 @@  static int escape124_decode_frame(AVCodecContext *avctx,
 
     // This call also guards the potential depth reads for the
     // codebook unpacking.
-    if (get_bits_left(&gb) < 64)
+    // Check if the amount we will read minimally is available on input.
+    // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
+    // represent a lower bound of the space needed for skiped superblocks. Non
+    // skipped SBs need more space.
+    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
         return -1;
 
     frame_flags = get_bits_long(&gb, 32);