diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2021-10-02 23:37:05 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2021-11-29 17:15:07 +0100 |
commit | 3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b (patch) | |
tree | 09e5d5170e380511f0cc615a7e06790a15eea54f | |
parent | 76c41a5bfeceb6d4a5c656abe41791f08c3b011c (diff) | |
download | ffmpeg-3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b.tar.gz |
avcodec/iff: limit written bytes to twice the output array size in decode_delta_l()
Fixes: Timeout
Fixes: 39436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6624915520880640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/iff.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 6a4c466b44..1dcf0e00ed 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1456,6 +1456,7 @@ static void decode_delta_l(uint8_t *dst, int planepitch_byte = (w + 7) / 8; int planepitch = ((w + 15) / 16) * 2; int pitch = planepitch * bpp; + int count = 0; if (buf_end - buf <= 64) return; @@ -1487,6 +1488,8 @@ static void decode_delta_l(uint8_t *dst, int16_t cnt = bytestream2_get_be16(&ogb); uint16_t data; + if (count > dst_size) + break; offset = ((2 * offset) / planepitch_byte) * pitch + ((2 * offset) % planepitch_byte) + k * planepitch; if (cnt < 0) { if (bytestream2_get_bytes_left(&dgb) < 2) @@ -1494,6 +1497,7 @@ static void decode_delta_l(uint8_t *dst, bytestream2_seek_p(&pb, offset, SEEK_SET); cnt = -cnt; data = bytestream2_get_be16(&dgb); + count += cnt; for (i = 0; i < cnt; i++) { bytestream2_put_be16(&pb, data); bytestream2_skip_p(&pb, dstpitch - 2); @@ -1502,6 +1506,7 @@ static void decode_delta_l(uint8_t *dst, if (bytestream2_get_bytes_left(&dgb) < 2*cnt) break; bytestream2_seek_p(&pb, offset, SEEK_SET); + count += cnt; for (i = 0; i < cnt; i++) { data = bytestream2_get_be16(&dgb); bytestream2_put_be16(&pb, data); |