| Message ID | 20200701230407.25977-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | f35caea77f76c62bd0e392e514a84833ab1e0c83 |
| Headers | show |
| Series | [FFmpeg-devel,1/2] avcodec/tiff: Do not overrun the array ends in dng_blit() | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
On Thu, Jul 02, 2020 at 01:04:06AM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 23589/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5110559589793792.fuzz > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/tiff.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) will apply patchset [...]
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index dc24d055ec..d93a02b07e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -859,8 +859,11 @@ static void dng_blit(TiffContext *s, uint8_t *dst, int dst_stride, } } else { for (line = 0; line < height; line++) { + uint8_t *dst_u8 = dst; + const uint8_t *src_u8 = src; + for (col = 0; col < width; col++) - *dst++ = dng_process_color8(*src++, s->dng_lut, s->black_level, scale_factor); + *dst_u8++ = dng_process_color8(*src_u8++, s->dng_lut, s->black_level, scale_factor); dst += dst_stride; src += src_stride;
Fixes: out of array access Fixes: 23589/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5110559589793792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)