aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-06-04 13:38:02 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-06-16 01:05:29 +0200
commit90c38d6ab8df4198ee2ecb32e0f05af9ffb0a65a (patch)
tree8c75dff328edfe9991ea6d3eaf990a639b8d5765
parent7edf95874053c05f36c256f9fdd08bc0e4825a4b (diff)
downloadffmpeg-90c38d6ab8df4198ee2ecb32e0f05af9ffb0a65a.tar.gz
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/pafvideo.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c
index cab3129f8f..1618a3e7c3 100644
--- a/libavcodec/pafvideo.c
+++ b/libavcodec/pafvideo.c
@@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data,
uint8_t code, *dst, *end;
int i, frame, ret;
- if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
- return ret;
+ if (pkt->size < 2)
+ return AVERROR_INVALIDDATA;
bytestream2_init(&c->gb, pkt->data, pkt->size);
code = bytestream2_get_byte(&c->gb);
+ if ((code & 0xF) > 4) {
+ avpriv_request_sample(avctx, "unknown/invalid code");
+ return AVERROR_INVALIDDATA;
+ }
+
+ if ((ret = ff_reget_buffer(avctx, c->pic)) < 0)
+ return ret;
+
if (code & 0x20) { // frame is keyframe
for (i = 0; i < 4; i++)
memset(c->frame[i], 0, c->frame_size);
@@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data,
}
break;
default:
- avpriv_request_sample(avctx, "unknown/invalid code");
- return AVERROR_INVALIDDATA;
+ av_assert0(0);
}
av_image_copy_plane(c->pic->data[0], c->pic->linesize[0],