diff mbox

[FFmpeg-devel,4/4] avcodec/dvdsub_parser: Allocate input padding

Message ID 20180713172640.19675-4-michael@niedermayer.cc
State Accepted
Commit cd86b5cfe278af79d6b147e122d9a72c270a9fde
Headers show

Commit Message

Michael Niedermayer July 13, 2018, 5:26 p.m. UTC 
Fixes: out of array read
Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dvdsub_parser.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer July 15, 2018, 5:46 p.m. UTC | #1 
On Fri, Jul 13, 2018 at 07:26:40PM +0200, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/dvdsub_parser.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c
index 8e1c48bef6..698ccb6987 100644
--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@@ -57,7 +57,11 @@  static int dvdsub_parse(AVCodecParserContext *s,
         if (pc->packet_len == 0) /* HD-DVD subpicture packet */
             pc->packet_len = AV_RB32(buf+2);
         av_freep(&pc->packet);
-        pc->packet = av_malloc(pc->packet_len);
+        if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
+            return buf_size;
+        }
+        pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
     }
     if (pc->packet) {
         if (pc->packet_index + buf_size <= pc->packet_len) {