Message ID | 20190831223240.27804-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 7f7af9e294f8bc00756922ab088430ea5b9d7498 |
Headers | show |
On Sun, Sep 01, 2019 at 12:32:40AM +0200, Michael Niedermayer wrote: > Ask for a sample for these > Fixes: out of array access > Fixes: 16624/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5762455661182976 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/vividas.c | 4 ++++ > 1 file changed, 4 insertions(+) will apply [...]
On Sun, Sep 01, 2019 at 12:32:36AM +0200, Michael Niedermayer wrote: > "9.1.1.43 P Reference Distance (REFDIST)" > "The value of REFDIST shall be less than, or equal to, 16." > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vc1.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) will apply [...]
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index e102b931d8..42bfca55b1 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -933,7 +933,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) { v->refdist = get_bits(gb, 2); if (v->refdist == 3) - v->refdist += get_unary(gb, 0, 16); + v->refdist += get_unary(gb, 0, 14); + if (v->refdist > 16) + return AVERROR_INVALIDDATA; } if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) { if (read_bfraction(v, gb) < 0)
"9.1.1.43 P Reference Distance (REFDIST)" "The value of REFDIST shall be less than, or equal to, 16." Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/vc1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)