[FFmpeg-devel] [PATCH 4/6] avcodec/sgidec: do not forget the number of components in read_uncompressed_sgi()
Andreas Rheinhardt
andreas.rheinhardt at outlook.com
Thu Jan 12 02:02:57 EET 2023
Michael Niedermayer:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6704753329700864
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6683986844057600
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6697387691474944
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/sgidec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c
> index 6ff2ee97f6..92083f23de 100644
> --- a/libavcodec/sgidec.c
> +++ b/libavcodec/sgidec.c
> @@ -159,7 +159,7 @@ static int read_uncompressed_sgi(uint8_t *const out[4], const ptrdiff_t stride[4
> unsigned rowsize = width * bytes_per_channel;
>
> /* Test buffer size. */
> - if (rowsize * (int64_t)height > bytestream2_get_bytes_left(g))
> + if (rowsize * (int64_t)height * nb_components > bytestream2_get_bytes_left(g))
> return AVERROR_INVALIDDATA;
>
> for (unsigned z = 0; z < nb_components; z++) {
LGTM. (Sorry for having forgotten this in
ce4713ea731b9deb0440abe8d8a2a41d2957efc5.)
- Andreas
More information about the ffmpeg-devel
mailing list