diff mbox series

[FFmpeg-devel,7/8] avcodec/exr: Check ymin vs. h

Message ID 20201024222312.5806-7-michael@niedermayer.cc
State Accepted
Commit 3e5959b3457f7f1856d997261e6ac672bba49e8b
Headers show
Series [FFmpeg-devel,1/8] tools/target_dem_fuzzer: Limit max blocks
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 24, 2020, 10:23 p.m. UTC
Fixes: out of array access
Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Nov. 22, 2020, 4:40 p.m. UTC | #1
On Sun, Oct 25, 2020 at 12:23:11AM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/exr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index cf7824402a..25c4f82471 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1830,7 +1830,7 @@  static int decode_frame(AVCodecContext *avctx, void *data,
     // Zero out the start if ymin is not 0
     for (i = 0; i < planes; i++) {
         ptr = picture->data[i];
-        for (y = 0; y < s->ymin; y++) {
+        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
             memset(ptr, 0, out_line_size);
             ptr += picture->linesize[i];
         }