diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2018-09-18 00:28:37 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-11-18 02:35:03 +0100 |
| commit | 2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e (patch) | |
| tree | 0b66ea3396ae8cbcc7e26b23a653699089f3f257 | |
| parent | 5fe92631fc2015ced579da5fe4efa8fc52042911 (diff) | |
| download | ffmpeg-2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e.tar.gz | |
avcodec/zmbv: Check that the decompressed data size is correct
This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.
Fixes: Timeout
Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/zmbv.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 0ffeea502c..46f59583c9 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } + if (c->flags & ZMBV_KEYFRAME) { + expected_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + expected_size = (c->bx * c->by * 2 + 3) & ~3; + } + if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && + (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) + expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (expected_size > c->decomp_len || + (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; |