Message ID | 20180713172640.19675-4-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | cd86b5cfe278af79d6b147e122d9a72c270a9fde |
Headers | show |
On Fri, Jul 13, 2018 at 07:26:40PM +0200, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dvdsub_parser.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) will apply [...]
diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 8e1c48bef6..698ccb6987 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); av_freep(&pc->packet); - pc->packet = av_malloc(pc->packet_len); + if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); + return buf_size; + } + pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); } if (pc->packet) { if (pc->packet_index + buf_size <= pc->packet_len) {
Fixes: out of array read Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dvdsub_parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)