aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2020-11-22 00:31:47 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2021-09-10 16:04:26 +0200
commit044af7cb4bf8c4f1fe49ea1b959ee47ab3e4ca48 (patch)
tree02e5cca045d6b55d7b861f6707d168a7db7569e3
parentad9e2f8914ac394b53ec2393c5ec358aeaad8879 (diff)
downloadffmpeg-044af7cb4bf8c4f1fe49ea1b959ee47ab3e4ca48.tar.gz
avcodec/rscc: Check inflated_buf size whan it is used
Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/rscc.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c
index f494c30ed8..e306b4a204 100644
--- a/libavcodec/rscc.c
+++ b/libavcodec/rscc.c
@@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
ret = AVERROR_INVALIDDATA;
goto end;
}
+ if (ctx->inflated_size < pixel_size) {
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size);
if (ret) {
av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret);