aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-11-23 09:18:12 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2020-07-02 19:55:09 +0200
commit71c228d2b8c93857a104c034937b1350d1959b3f (patch)
tree6f72a96a1387d17912cfdacdf495d6b7b233d164
parent3191aecdfa7ec0218c578c031ae9555bb2f98c2b (diff)
downloadffmpeg-71c228d2b8c93857a104c034937b1350d1959b3f.tar.gz
avcodec/wmavoice: Check remaining input in parse_packet_header()
Fixes: Infinite loop Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/wmavoice.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index abea3a6751..4c764a8f01 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1835,6 +1835,9 @@ static int parse_packet_header(WMAVoiceContext *s)
skip_bits(gb, 4); // packet sequence number
s->has_residual_lsps = get_bits1(gb);
do {
+ if (get_bits_left(gb) < 6 + s->spillover_bitsize)
+ return AVERROR_INVALIDDATA;
+
res = get_bits(gb, 6); // number of superframes per packet
// (minus first one if there is spillover)
n_superframes += res;