[FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
Andreas Rheinhardt
andreas.rheinhardt at outlook.com
Mon Jan 10 11:17:39 EET 2022
Michael Niedermayer:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> enum AVPixelFormat pix_fmt;
> AVStream *st;
> int packet_size;
> + int ret;
>
> st = avformat_new_stream(ctx, NULL);
> if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>
> avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>
> + ret = av_image_check_size(s->width, s->height, 0, ctx);
Looking at av_image_check_size() this seems to ensure that 8 * width
*height fits in an int. So this should indeed fix all the overflows.
> + if (ret < 0)
> + return ret;
> +
> st->codecpar->width = s->width;
> st->codecpar->height = s->height;
>
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR(EINVAL);
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
>
More information about the ffmpeg-devel
mailing list