| Message ID | 20200511203046.4042-3-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | f0c0471075fe52ed31c46e038df4280aef5b67a1 |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avcodec/cdtoons: Check sprite_offset is within the packet | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
On Mon, May 11, 2020 at 10:30:46PM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/ralf.c | 2 ++ > 1 file changed, 2 insertions(+) will apply [...]
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 831728177e..7336c87183 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -481,6 +481,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9);
Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/ralf.c | 2 ++ 1 file changed, 2 insertions(+)