Message ID | 20190106113820.21480-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 96e495082aedc4fcf444e2c7ef301867ba3e0b1f |
Headers | show |
On 1/6/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: out of array access > Fixes: > 12381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705474280783872 > Fixes: > 12384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5725303345774592 > Fixes: > 12389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5704033050820608 > Fixes: > 12391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5707284146028544 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/huffyuvdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c > index 4e00692631..dfe3585e6e 100644 > --- a/libavcodec/huffyuvdec.c > +++ b/libavcodec/huffyuvdec.c > @@ -1254,7 +1254,7 @@ static int decode_frame(AVCodecContext *avctx, void > *data, int *got_frame, > slices_info_offset = AV_RL32(avpkt->data + buf_size - 4); > slice_height = AV_RL32(avpkt->data + buf_size - 8); > nb_slices = AV_RL32(avpkt->data + buf_size - 12); > - if (nb_slices * 8LL + slices_info_offset > buf_size - 16) > + if (nb_slices * 8LL + slices_info_offset > buf_size - 16 || > slice_height <= 0) > return AVERROR_INVALIDDATA; > } else { > slice_height = height; > -- > 2.20.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > ok
diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 4e00692631..dfe3585e6e 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -1254,7 +1254,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, slices_info_offset = AV_RL32(avpkt->data + buf_size - 4); slice_height = AV_RL32(avpkt->data + buf_size - 8); nb_slices = AV_RL32(avpkt->data + buf_size - 12); - if (nb_slices * 8LL + slices_info_offset > buf_size - 16) + if (nb_slices * 8LL + slices_info_offset > buf_size - 16 || slice_height <= 0) return AVERROR_INVALIDDATA; } else { slice_height = height;
Fixes: out of array access Fixes: 12381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705474280783872 Fixes: 12384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5725303345774592 Fixes: 12389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5704033050820608 Fixes: 12391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5707284146028544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/huffyuvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)