diff mbox

[FFmpeg-devel] avcodec/scpr: Fix reading a pixel before the first

Message ID 20180203180719.25079-1-michael@niedermayer.cc
State Accepted
Commit 0fb33a82890753233225c61863fff1fcc9d970d4
Headers show

Commit Message

Michael Niedermayer Feb. 3, 2018, 6:07 p.m. UTC 
Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/scpr.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Michael Niedermayer Feb. 11, 2018, 1:37 a.m. UTC | #1 
On Sat, Feb 03, 2018 at 07:07:19PM +0100, Michael Niedermayer wrote:
> Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/scpr.c | 4 ++++
>  1 file changed, 4 insertions(+)

applied

[...]
diff mbox

Patch

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index cbe1bc40d9..ad6073dbf0 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -681,6 +681,8 @@  static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;
@@ -710,6 +712,8 @@  static int decompress_p(AVCodecContext *avctx,
                                 return AVERROR_INVALIDDATA;
 
                             if (bx == 0) {
+                                if (by < 2)
+                                    return AVERROR_INVALIDDATA;
                                 z = backstep;
                             } else {
                                 z = 0;