diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2020-11-22 00:31:47 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-09-10 16:04:26 +0200 |
commit | 044af7cb4bf8c4f1fe49ea1b959ee47ab3e4ca48 (patch) | |
tree | 02e5cca045d6b55d7b861f6707d168a7db7569e3 | |
parent | ad9e2f8914ac394b53ec2393c5ec358aeaad8879 (diff) | |
download | ffmpeg-044af7cb4bf8c4f1fe49ea1b959ee47ab3e4ca48.tar.gz |
avcodec/rscc: Check inflated_buf size whan it is used
Fixes: out of array access
Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/rscc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index f494c30ed8..e306b4a204 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); |