Message ID | 20190806213006.25210-4-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
On Tue, Aug 06, 2019 at 11:30:05PM +0200, Michael Niedermayer wrote: > Fixes: Timeout (Infinite->Finite) > Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/tiff.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) This patch is likely buggy, ill write a better one Note, testcases which fail are welcome (i have none ATM) Thanks [...]
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c520d7df83..8c9e7b0881 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1407,7 +1407,7 @@ static int decode_frame(AVCodecContext *avctx, GetByteContext stripsizes; GetByteContext stripdata; int retry_for_subifd, retry_for_page; - + int retry_count = 1; bytestream2_init(&s->gb, avpkt->data, avpkt->size); // parse image header @@ -1467,6 +1467,10 @@ again: av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; } + if (!retry_count--) { + av_log(avctx, AV_LOG_ERROR, "too many retries\n"); + return AVERROR_INVALIDDATA; + } s->sub_ifd = 0; goto again; }
Fixes: Timeout (Infinite->Finite) Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/tiff.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)