diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2019-08-10 17:34:37 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-08-29 15:16:18 +0200 |
commit | 37bc8e3249c88b733bcc0d8c74cdf668292e4d63 (patch) | |
tree | ce20059a1f73eb2eac26444cb380936d564d1d4f | |
parent | e0c973e5bea94dc70baf20d5a36e123b1ca1f901 (diff) | |
download | ffmpeg-37bc8e3249c88b733bcc0d8c74cdf668292e4d63.tar.gz |
avcodec/cavsdec: Limit the number of access units per packet to 2
Fixes: Timeout (122sec -> 13ms)
Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/cavsdec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5f3b354518..1c4f71824a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int input_size, ret; const uint8_t *buf_end; const uint8_t *buf_ptr; + int frame_start = 0; if (buf_size == 0) { if (!h->low_delay && h->DPB[0].f->data[0]) { @@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (frame_start > 1) + return AVERROR_INVALIDDATA; + frame_start ++; if (*got_frame) av_frame_unref(data); *got_frame = 0; |