Message ID | 20210330092303.10534-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 9e8475c7c7a81e8299e88d89981df3c14657fff4 |
Headers | show |
Series | [FFmpeg-devel,1/2] avcodec/exr: Check oe in huf_decode() before use | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Tue, Mar 30, 2021 at 11:23:02AM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 31386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5773234709594112 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/exr.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) will apply patchset [...]
diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 279cfe9412..65e5203c31 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -422,7 +422,12 @@ static int huf_decode(VLC *vlc, GetByteContext *gb, int nbits, int run_sym, if (x == run_sym) { int run = get_bits(&gbit, 8); - uint16_t fill = out[oe - 1]; + uint16_t fill; + + if (oe == 0 || oe + run > no) + return AVERROR_INVALIDDATA; + + fill = out[oe - 1]; while (run-- > 0) out[oe++] = fill;
Fixes: out of array access Fixes: 31386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5773234709594112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/exr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)