avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-01-23 01:25:27 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-08-23 13:15:16 +0200
commit: 62244f37d116af28949787d160f80f5210083e55 (patch)
tree: 1e03c1fb241075a3e59ef441f0c3b87b2a65577e
parent: 14e5d6a009ea7927a8615b6e253a27ca248708ff (diff)
download: ffmpeg-62244f37d116af28949787d160f80f5210083e55.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 8c22da0d78..986cde3719 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -421,13 +421,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
     av_bprint_init(bp, 0, -1);
 
     while (zstream.avail_in > 0) {
-        av_bprint_get_buffer(bp, 1, &buf, &buf_size);
-        if (!buf_size) {
+        av_bprint_get_buffer(bp, 2, &buf, &buf_size);
+        if (buf_size < 2) {
             ret = AVERROR(ENOMEM);
             goto fail;
         }
         zstream.next_out  = buf;
-        zstream.avail_out = buf_size;
+        zstream.avail_out = buf_size - 1;
         ret = inflate(&zstream, Z_PARTIAL_FLUSH);
         if (ret != Z_OK && ret != Z_STREAM_END) {
             ret = AVERROR_EXTERNAL;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-01-23 01:25:27 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-08-23 13:15:16 +0200
commit	62244f37d116af28949787d160f80f5210083e55 (patch)
tree	1e03c1fb241075a3e59ef441f0c3b87b2a65577e
parent	14e5d6a009ea7927a8615b6e253a27ca248708ff (diff)
download	ffmpeg-62244f37d116af28949787d160f80f5210083e55.tar.gz