avcodec/magicyuv: Check slice size before reading flags and pred

Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-23 20:39:33 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-10-24 14:39:49 +0200
commit: 0dc42147b6843b133d4fa46bf1c2568a837b4bec (patch)
tree: 34b17946bcc97749f336ce8e722f40d5f3fd4d75
parent: 2b702015d8b1e273280f9389e7accf68266d0165 (diff)
download: ffmpeg-0dc42147b6843b133d4fa46bf1c2568a837b4bec.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
index ea1f727e5c..f13351e5b5 100644
--- a/libavcodec/magicyuv.c
+++ b/libavcodec/magicyuv.c
@@ -623,6 +623,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
 
         s->slices[i][j].start = offset + header_size;
         s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
+
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
     }
 
     if (bytestream2_get_byteu(&gb) != s->planes)
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-23 20:39:33 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-10-24 14:39:49 +0200
commit	0dc42147b6843b133d4fa46bf1c2568a837b4bec (patch)
tree	34b17946bcc97749f336ce8e722f40d5f3fd4d75
parent	2b702015d8b1e273280f9389e7accf68266d0165 (diff)
download	ffmpeg-0dc42147b6843b133d4fa46bf1c2568a837b4bec.tar.gz