diff mbox series

[FFmpeg-devel,4/4] avcodec/ffv1dec: Check for min packet size

Message ID 20220703141811.29914-4-michael@niedermayer.cc
State Accepted
Commit 78b95530f0a1f04864079614b251b765b1ee77ec
Headers show
Series [FFmpeg-devel,1/4] avcodec/ffv1dec_template: Fix indention | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_armv7_RPi4 success Make finished
andriy/make_fate_armv7_RPi4 success Make fate finished

Commit Message

Michael Niedermayer July 3, 2022, 2:18 p.m. UTC 
Fixes: Timeout
Fixes: 48619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5793597923917824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ffv1dec.c | 8 ++++++++
 1 file changed, 8 insertions(+)
diff mbox series

Patch

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 7731c15c87..01ddcaa512 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -879,6 +879,14 @@  static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         p->key_frame = 0;
     }
 
+    if (f->ac != AC_GOLOMB_RICE) {
+        if (buf_size < avctx->width * avctx->height / (128*8))
+            return AVERROR_INVALIDDATA;
+    } else {
+        if (buf_size < avctx->height / 8)
+            return AVERROR_INVALIDDATA;
+    }
+
     ret = ff_thread_get_ext_buffer(avctx, &f->picture, AV_GET_BUFFER_FLAG_REF);
     if (ret < 0)
         return ret;