aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-08-10 17:34:37 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-08-29 15:16:18 +0200
commit37bc8e3249c88b733bcc0d8c74cdf668292e4d63 (patch)
treece20059a1f73eb2eac26444cb380936d564d1d4f
parente0c973e5bea94dc70baf20d5a36e123b1ca1f901 (diff)
downloadffmpeg-37bc8e3249c88b733bcc0d8c74cdf668292e4d63.tar.gz
avcodec/cavsdec: Limit the number of access units per packet to 2
Fixes: Timeout (122sec -> 13ms) Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/cavsdec.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 5f3b354518..1c4f71824a 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
int input_size, ret;
const uint8_t *buf_end;
const uint8_t *buf_ptr;
+ int frame_start = 0;
if (buf_size == 0) {
if (!h->low_delay && h->DPB[0].f->data[0]) {
@@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
h->got_keyframe = 1;
}
case PIC_PB_START_CODE:
+ if (frame_start > 1)
+ return AVERROR_INVALIDDATA;
+ frame_start ++;
if (*got_frame)
av_frame_unref(data);
*got_frame = 0;