diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-13 01:31:19 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-13 01:32:55 +0200 |
commit | 934572c5c3592732a30336afdf2df9926a8b4df2 (patch) | |
tree | 0bf89a265fed6f13c8723b79baec272348bbbe44 | |
parent | 0158b405a71f386c7844a3d975315afd47f16b5d (diff) | |
download | ffmpeg-934572c5c3592732a30336afdf2df9926a8b4df2.tar.gz |
avcodec/rscc: Check pixel_size for overflow
Fixes: 1509/clusterfuzz-testcase-minimized-5129419876204544
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/rscc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index ebacd3f62c..f270cd5351 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -211,6 +211,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, |