diff mbox series

[FFmpeg-devel,2/4] avcodec/mv30: Check available space in decode_intra() more completly

Message ID 20210211211715.6234-2-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/4] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Feb. 11, 2021, 9:17 p.m. UTC
Fixes: Timeout (>10sec -> instantaneous)
Fixes: 30147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5549246684200960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mv30.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul B Mahol Feb. 11, 2021, 9:29 p.m. UTC | #1
this is hack
diff mbox series

Patch

diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c
index 7ae264e0f0..c92048a179 100644
--- a/libavcodec/mv30.c
+++ b/libavcodec/mv30.c
@@ -411,6 +411,8 @@  static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame
     mgb = *gb;
     if (get_bits_left(gb) < s->mode_size * 8)
         return AVERROR_INVALIDDATA;
+    if (get_bits_left(&mgb) < (avctx->height + 15)/16 * ((avctx->width + 15)/16) * 12)
+        return AVERROR_INVALIDDATA;
 
     skip_bits_long(gb, s->mode_size * 8);