]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2e6ea39)
avcodec/dvdsub_parser: Allocate input padding
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 13 Jul 2018 16:56:10 +0000 (18:56 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 15 Jul 2018 17:42:25 +0000 (19:42 +0200)
Fixes: out of array read
Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/dvdsub_parser.c patch | blob | history

diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c
index 8e1c48bef63db7bef84c43a8b0d1b09f3ad4ce97..698ccb6987ca871d0ff8ed0b9e0a6697b5ad3720 100644 (file)
--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s,
         if (pc->packet_len == 0) /* HD-DVD subpicture packet */
             pc->packet_len = AV_RB32(buf+2);
         av_freep(&pc->packet);
-        pc->packet = av_malloc(pc->packet_len);
+        if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len);
+            return buf_size;
+        }
+        pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE);
     }
     if (pc->packet) {
         if (pc->packet_index + buf_size <= pc->packet_len) {
Unnamed repository; edit this file 'description' to name the repository.