diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-04 13:38:02 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-16 01:05:29 +0200 |
commit | 90c38d6ab8df4198ee2ecb32e0f05af9ffb0a65a (patch) | |
tree | 8c75dff328edfe9991ea6d3eaf990a639b8d5765 | |
parent | 7edf95874053c05f36c256f9fdd08bc0e4825a4b (diff) | |
download | ffmpeg-90c38d6ab8df4198ee2ecb32e0f05af9ffb0a65a.tar.gz |
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584
Fixes: Timeout
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/pafvideo.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index cab3129f8f..1618a3e7c3 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], |