diff mbox

[FFmpeg-devel,1/5] vcodec/agm: Alloc based on coded dimensions

Message ID 20191114163408.16682-1-michael@niedermayer.cc
State Accepted
Commit bfa8272f405314582e8f099ec1a9249232553c9c
Headers show

Commit Message

Michael Niedermayer Nov. 14, 2019, 4:34 p.m. UTC 
Fixes: out of array read
Fixes: 18715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5659333417500672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/agm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul B Mahol Nov. 14, 2019, 5:07 p.m. UTC | #1 
LGTM

On 11/14/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes:
> 18715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5659333417500672
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/agm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/agm.c b/libavcodec/agm.c
> index 241e9eeb1b..628f324913 100644
> --- a/libavcodec/agm.c
> +++ b/libavcodec/agm.c
> @@ -827,7 +827,7 @@ static int decode_intra(AVCodecContext *avctx,
> GetBitContext *gb, AVFrame *frame
>  static int decode_motion_vectors(AVCodecContext *avctx, GetBitContext *gb)
>  {
>      AGMContext *s = avctx->priv_data;
> -    int nb_mvs = ((avctx->height + 15) >> 4) * ((avctx->width + 15) >> 4);
> +    int nb_mvs = ((avctx->coded_height + 15) >> 4) * ((avctx->coded_width +
> 15) >> 4);
>      int ret, skip = 0, value, map;
>
>      av_fast_padded_malloc(&s->mvectors, &s->mvectors_size,
> --
> 2.23.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Nov. 15, 2019, 8:45 p.m. UTC | #2 
On Thu, Nov 14, 2019 at 06:07:30PM +0100, Paul B Mahol wrote:
> LGTM

will apply

thx

[...]
diff mbox

Patch

diff --git a/libavcodec/agm.c b/libavcodec/agm.c
index 241e9eeb1b..628f324913 100644
--- a/libavcodec/agm.c
+++ b/libavcodec/agm.c
@@ -827,7 +827,7 @@  static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame
 static int decode_motion_vectors(AVCodecContext *avctx, GetBitContext *gb)
 {
     AGMContext *s = avctx->priv_data;
-    int nb_mvs = ((avctx->height + 15) >> 4) * ((avctx->width + 15) >> 4);
+    int nb_mvs = ((avctx->coded_height + 15) >> 4) * ((avctx->coded_width + 15) >> 4);
     int ret, skip = 0, value, map;
 
     av_fast_padded_malloc(&s->mvectors, &s->mvectors_size,