[FFmpeg-devel] [PATCH] avcodec/hq_hqa: Check info size
Hendrik Leppkes
h.leppkes at gmail.com
Sat May 30 03:09:42 EEST 2020
On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer
<michael at niedermayer.cc> wrote:
>
> Fixes: assertion failure
> Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/hq_hqa.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
> index eec2e980b3..8404e80ec8 100644
> --- a/libavcodec/hq_hqa.c
> +++ b/libavcodec/hq_hqa.c
> @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
> int info_size;
> bytestream2_skip(&ctx->gbc, 4);
> info_size = bytestream2_get_le32(&ctx->gbc);
> - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
> return AVERROR_INVALIDDATA;
> }
> --
bytestream2_get_le32 returns an unsigned type, wouldn't it be better
to make info_size unsigned and avoid the type cast and signed overflow
that results in this check failing?
- Hendrik
More information about the ffmpeg-devel
mailing list