]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2b70201)
avcodec/magicyuv: Check slice size before reading flags and pred
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 23 Oct 2020 18:39:33 +0000 (20:39 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 24 Oct 2020 12:39:49 +0000 (14:39 +0200)
Fixes: heap-buffer-overflow
Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/magicyuv.c patch | blob | history

diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
index ea1f727e5cf0a62302a3ee001c0d665e7ebe6371..f13351e5b5ae6d66237628b28cb990ee76c4431c 100644 (file)
--- a/libavcodec/magicyuv.c
+++ b/libavcodec/magicyuv.c
@@ -623,6 +623,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
 
         s->slices[i][j].start = offset + header_size;
         s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
+
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
     }
 
     if (bytestream2_get_byteu(&gb) != s->planes)
Unnamed repository; edit this file 'description' to name the repository.