| Message ID | 20201104000649.14740-5-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 79cf7c71910a69b9f22b3e7ee6508a771262abaf |
| Headers | show |
| Series | [FFmpeg-devel,1/7] avformat/mpc8: correct 32bit timestamp truncation | expand |
| Context | Check | Description |
|---|---|---|
| andriy/x86_make | success | Make finished |
| andriy/x86_make_fate | success | Make fate finished |
On Wed, 4 Nov 2020, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mpegts.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c > index ebb09991dc..80d010db6c 100644 > --- a/libavformat/mpegts.c > +++ b/libavformat/mpegts.c > @@ -3169,7 +3169,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) > return ret; > } > if (data != pkt->data) > - memcpy(pkt->data, data, ts->raw_packet_size); > + memcpy(pkt->data, data, TS_PACKET_SIZE); > finished_reading_packet(s, ts->raw_packet_size); > if (ts->mpeg2ts_compute_pcr) { > /* compute exact PCR for each packet */ LGTM, thanks. Marton
On Wed, Nov 04, 2020 at 11:17:53PM +0100, Marton Balint wrote: > > > On Wed, 4 Nov 2020, Michael Niedermayer wrote: > > > Fixes: out of array access > > Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mpegts.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c > > index ebb09991dc..80d010db6c 100644 > > --- a/libavformat/mpegts.c > > +++ b/libavformat/mpegts.c > > @@ -3169,7 +3169,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) > > return ret; > > } > > if (data != pkt->data) > > - memcpy(pkt->data, data, ts->raw_packet_size); > > + memcpy(pkt->data, data, TS_PACKET_SIZE); > > finished_reading_packet(s, ts->raw_packet_size); > > if (ts->mpeg2ts_compute_pcr) { > > /* compute exact PCR for each packet */ > > LGTM, thanks. will apply thx [...]
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index ebb09991dc..80d010db6c 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3169,7 +3169,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */
Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)