[FFmpeg-cvslog] avcodec/huffyuvdec: Check slice_offset/size

Michael Niedermayer git at videolan.org
Mon Jan 28 02:24:19 EET 2019


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Jan 21 00:39:43 2019 +0100| [fcbda8af175a1f305c46d6d46a4f90be4aa630ae] | committer: Michael Niedermayer

avcodec/huffyuvdec: Check slice_offset/size

Fixes: out of array access
Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208
Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fcbda8af175a1f305c46d6d46a4f90be4aa630ae
---

 libavcodec/huffyuvdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 8226c07743..27f650d7bf 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         if (nb_slices > 1) {
             slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8);
             slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4);
+
+            if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) ||
+                slice_offset + (int64_t)slice_size > buf_size)
+                return AVERROR_INVALIDDATA;
+
             y_offset = height - (slice + 1) * slice_height;
             s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer,
                               (const uint32_t *)(buf + slice_offset), slice_size / 4);



More information about the ffmpeg-cvslog mailing list