[FFmpeg-cvslog] avcodec/pngdec: Check length in fdAT
Michael Niedermayer
git at videolan.org
Sun May 10 02:29:41 EEST 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Apr 7 19:29:44 2020 +0200| [79e5c2ee2bbdf462cabd2113c723dfb613d735c2] | committer: Michael Niedermayer
avcodec/pngdec: Check length in fdAT
Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888
Fixes: out of array read
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79e5c2ee2bbdf462cabd2113c723dfb613d735c2
---
libavcodec/pngdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index d72f9bbb80..86f885bbee 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1252,7 +1252,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
case MKTAG('f', 'd', 'A', 'T'):
if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG)
goto skip_tag;
- if (!decode_next_dat) {
+ if (!decode_next_dat || length < 4) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
More information about the ffmpeg-cvslog
mailing list