]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f44068d)
avcodec/sga: Check for array end in lzss_decompress()
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 17 Mar 2021 21:19:33 +0000 (22:19 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Fri, 26 Mar 2021 15:00:14 +0000 (16:00 +0100)
Fixes: out of array access
Fixes: 31640/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGA_fuzzer-5630883286614016
Fixes: 31619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGA_fuzzer-5176667708456960
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/sga.c patch | blob | history

diff --git a/libavcodec/sga.c b/libavcodec/sga.c
index 00752a584376f351e61765dbe1fa29c1d75f77aa..7e6bea530c931110fdae859d35568f4cec9a3664 100644 (file)
--- a/libavcodec/sga.c
+++ b/libavcodec/sga.c
@@ -232,7 +232,7 @@ static int lzss_decompress(AVCodecContext *avctx,
 
                 if (offset <= 0)
                     offset = 1;
-                if (oi < offset)
+                if (oi < offset || oi + count * 2 > dst_size)
                     return AVERROR_INVALIDDATA;
                 for (int j = 0; j < count * 2; j++) {
                     dst[oi] = dst[oi - offset];
Unnamed repository; edit this file 'description' to name the repository.