diff mbox series

[FFmpeg-devel,1/2] avcodec/pngdec: Check length in fdAT

Message ID 20200407205353.2212-1-michael@niedermayer.cc
State Accepted
Commit 79e5c2ee2bbdf462cabd2113c723dfb613d735c2
Headers show
Series [FFmpeg-devel,1/2] avcodec/pngdec: Check length in fdAT | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer April 7, 2020, 8:53 p.m. UTC 
Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888
Fixes: out of array read

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer May 9, 2020, 11:07 p.m. UTC | #1 
On Tue, Apr 07, 2020 at 10:53:52PM +0200, Michael Niedermayer wrote:
> Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888
> Fixes: out of array read
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply patchset

[...]
diff mbox series

Patch

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 3ce980fc15..39e0569061 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1252,7 +1252,7 @@  static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
         case MKTAG('f', 'd', 'A', 'T'):
             if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG)
                 goto skip_tag;
-            if (!decode_next_dat) {
+            if (!decode_next_dat || length < 4) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }