avcodec/rasc: Check uncompressed dlta size

We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet that the data is invalid. Fixes: Out of memory Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f4079d5174c20eddbc99eef6ebe98d411f8014c5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-01-23 00:16:02 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-01-31 17:28:23 +0100
commit: 0f1332309aff3924fcd740cf36c61f1f9e6f026e (patch)
tree: 93cf266484ca6b0a6e141060347b0ad16796867e
parent: f5c9753bfdab20ad54fbdbbe85b52c82d0bb3c4b (diff)
download: ffmpeg-0f1332309aff3924fcd740cf36c61f1f9e6f026e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c
index 1b607ac31e..6e32c1540e 100644
--- a/libavcodec/rasc.c
+++ b/libavcodec/rasc.c
@@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx,
     compression = bytestream2_get_le32(gb);
 
     if (compression == 1) {
+        if (w * h * s->bpp * 3 < uncompressed_size)
+            return AVERROR_INVALIDDATA;
         ret = decode_zlib(avctx, avpkt, size, uncompressed_size);
         if (ret < 0)
             return ret;
author	Michael Niedermayer <michael@niedermayer.cc>	2019-01-23 00:16:02 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-01-31 17:28:23 +0100
commit	0f1332309aff3924fcd740cf36c61f1f9e6f026e (patch)
tree	93cf266484ca6b0a6e141060347b0ad16796867e
parent	f5c9753bfdab20ad54fbdbbe85b52c82d0bb3c4b (diff)
download	ffmpeg-0f1332309aff3924fcd740cf36c61f1f9e6f026e.tar.gz