[FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation
James Almer
jamrial at gmail.com
Fri Jan 13 02:11:35 EET 2023
On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
> Fixes:OOM
> Fixes:out of array access (no testcase)
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/xpmdec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
> index ff1f51dd32..504cc47d8f 100644
> --- a/libavcodec/xpmdec.c
> +++ b/libavcodec/xpmdec.c
> @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
>
> size *= 4;
>
> + if (size > SIZE_MAX)
> + return AVERROR(ENOMEM);
Maybe check for (size > SIZE_MAX / 4) before the multiplication above
instead.
> +
> ptr += mod_strcspn(ptr, ",") + 1;
> if (end - ptr < 1)
> return AVERROR_INVALIDDATA;
More information about the ffmpeg-devel
mailing list