diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2018-01-22 14:02:59 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-07-08 13:07:06 +0200 |
| commit | 7348bbf9c28c7acb3ca8173b0f4e993dac0dfc11 (patch) | |
| tree | e982b29cb9dc4eb729fa9b28a32d599a15d16263 | |
| parent | a8b92327f8cd3161934c5f6151db289d370702bf (diff) | |
| download | ffmpeg-7348bbf9c28c7acb3ca8173b0f4e993dac0dfc11.tar.gz | |
avcodec/dxtory: Fix bits left checks
Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/dxtory.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index ea5da610da..4a6d6bbbf5 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { b = decode_sym_565(gb, lru[0], 5); g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5); @@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { dst[x * 3 + 0] = decode_sym(gb, lru[0]); dst[x * 3 + 1] = decode_sym(gb, lru[1]); @@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + (ustride >> 2) * line; uint8_t *V = frame->data[2] + (vstride >> 2) * line; - for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) { + for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) { for (x = 0; x < width; x += 4) { for (j = 0; j < 4; j++) for (i = 0; i < 4; i++) @@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, uint8_t *V = frame->data[2] + (vstride >> 1) * line; - for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) { + for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) { for (x = 0; x < width; x += 2) { Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]); Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]); @@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + ustride * line; uint8_t *V = frame->data[2] + vstride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { Y[x] = decode_sym(gb, lru[0]); U[x] = decode_sym(gb, lru[1]) ^ 0x80; |