]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c9415e8)
avcodec/pngdec: consider chunk size in minimal size check
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 21 Jul 2019 22:03:15 +0000 (00:03 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 11 Aug 2019 17:13:21 +0000 (19:13 +0200)
assuming each block contains an empty chunk there has to be at least 8 bytes extra.

Fixes: 15327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-5676669303521280
Fixes: Timeout (11->5sec)
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/pngdec.c patch | blob | history

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index bf5a5191cc85834e5db58cace975327ff36956a1..cad579654573bd6418bf15ac94f6f1639ccc1d28 100644 (file)
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1547,7 +1547,7 @@ static int decode_frame_lscr(AVCodecContext *avctx,
         return ret;
 
     nb_blocks = bytestream2_get_le16(gb);
-    if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * 12)
+    if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * (12 + 8))
         return AVERROR_INVALIDDATA;
 
     if (s->last_picture.f->data[0]) {
Unnamed repository; edit this file 'description' to name the repository.