diff mbox series

[FFmpeg-devel,4/5] avcodec/lscrdec: Check length in decode_idat()

Message ID 20210330113129.14852-4-michael@niedermayer.cc
State Accepted
Commit c01cd2a8b2a67da975d51fdf03f18c502df2e13c
Headers show
Series [FFmpeg-devel,1/5] avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer March 30, 2021, 11:31 a.m. UTC 
Fixes: out of array access
Fixes: 32264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-6684504010915840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lscrdec.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/libavcodec/lscrdec.c b/libavcodec/lscrdec.c
index f5cfe1fa04..042da84bf9 100644
--- a/libavcodec/lscrdec.c
+++ b/libavcodec/lscrdec.c
@@ -76,6 +76,10 @@  static int decode_idat(LSCRContext *s, int length)
     int ret;
     s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
     s->zstream.next_in  = s->gb.buffer;
+
+    if (length <= 0)
+        return AVERROR_INVALIDDATA;
+
     bytestream2_skip(&s->gb, length);
 
     /* decode one line if possible */