[FFmpeg-cvslog] avcodec/wnv1: More strict buffer size check
Michael Niedermayer
git at videolan.org
Tue Jun 6 01:06:16 EEST 2017
ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sun May 28 03:18:02 2017 +0200| [19556586d50817c07eb16a5c135d3e17d7e7c71c] | committer: Michael Niedermayer
avcodec/wnv1: More strict buffer size check
This requires at least 25% of a picture to allocate and decode it
Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19556586d50817c07eb16a5c135d3e17d7e7c71c
---
libavcodec/wnv1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 126c01a02d..915e9c7dc9 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx,
int prev_y = 0, prev_u = 0, prev_v = 0;
uint8_t *rbuf;
- if (buf_size <= 8) {
+ if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
return AVERROR_INVALIDDATA;
}
More information about the ffmpeg-cvslog
mailing list