Message ID | 20201024222312.5806-7-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 3e5959b3457f7f1856d997261e6ac672bba49e8b |
Headers | show |
Series | [FFmpeg-devel,1/8] tools/target_dem_fuzzer: Limit max blocks | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
On Sun, Oct 25, 2020 at 12:23:11AM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/exr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) will apply [...]
diff --git a/libavcodec/exr.c b/libavcodec/exr.c index cf7824402a..25c4f82471 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, // Zero out the start if ymin is not 0 for (i = 0; i < planes; i++) { ptr = picture->data[i]; - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[i]; }
Fixes: out of array access Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)