diff mbox series

[FFmpeg-devel,1/3] avcodec/cdtoons: Check sprite_offset is within the packet

Message ID 20200511203046.4042-1-michael@niedermayer.cc
State Accepted
Commit 4d701e92223d046a9d52c3ae16897e492f045478
Headers show
Series [FFmpeg-devel,1/3] avcodec/cdtoons: Check sprite_offset is within the packet | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Michael Niedermayer May 11, 2020, 8:30 p.m. UTC 
Fixes: out of array read
Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5754518731227136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cdtoons.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paul B Mahol May 11, 2020, 9:12 p.m. UTC | #1 
probably ok

On 5/11/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes:
> 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5754518731227136
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cdtoons.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c
> index 13f9a60f0f..a8609815c1 100644
> --- a/libavcodec/cdtoons.c
> +++ b/libavcodec/cdtoons.c
> @@ -190,6 +190,9 @@ static int cdtoons_decode_frame(AVCodecContext *avctx,
> void *data,
>      palette_set        = bytestream_get_byte(&buf);
>      buf               += 5;
>
> +    if (sprite_offset > buf_size)
> +        return AVERROR_INVALIDDATA;
> +
>      /* read new sprites introduced in this frame */
>      buf = avpkt->data + sprite_offset;
>      while (sprite_count--) {
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer May 12, 2020, 6:59 p.m. UTC | #2 
On Mon, May 11, 2020 at 11:12:45PM +0200, Paul B Mahol wrote:
> probably ok

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c
index 13f9a60f0f..a8609815c1 100644
--- a/libavcodec/cdtoons.c
+++ b/libavcodec/cdtoons.c
@@ -190,6 +190,9 @@  static int cdtoons_decode_frame(AVCodecContext *avctx, void *data,
     palette_set        = bytestream_get_byte(&buf);
     buf               += 5;
 
+    if (sprite_offset > buf_size)
+        return AVERROR_INVALIDDATA;
+
     /* read new sprites introduced in this frame */
     buf = avpkt->data + sprite_offset;
     while (sprite_count--) {