avformat/flvdec: Check for nesting depth in amf_parse_object()

Fixes: out of array access Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 074e204b42acdacc0a055671481e00914524af93) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-01-23 21:20:57 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-10-09 22:02:20 +0200
commit: 96d4eaf592bd9d71395339ca424bb4fd1a53ef35 (patch)
tree: e6cf9f4a9fb60554d6d0eab706c8059af91e1eb3
parent: 14046c7ba69339ced152c2a4c7bdcae589f4eda1 (diff)
download: ffmpeg-96d4eaf592bd9d71395339ca424bb4fd1a53ef35.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index f13044329a..4ef81f2dcf 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -41,6 +41,8 @@
 
 #define RESYNC_BUFFER_SIZE (1<<20)
 
+#define MAX_DEPTH 16      ///< arbitrary limit to prevent unbounded recursion
+
 typedef struct FLVContext {
     const AVClass *class; ///< Class for private options.
     int trust_metadata;   ///< configure streams according onMetaData
@@ -455,6 +457,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream,
     char str_val[1024];
     double num_val;
 
+    if (depth > MAX_DEPTH)
+        return AVERROR_PATCHWELCOME;
+
     num_val  = 0;
     ioc      = s->pb;
     if (avio_feof(ioc))
author	Michael Niedermayer <michael@niedermayer.cc>	2021-01-23 21:20:57 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-10-09 22:02:20 +0200
commit	96d4eaf592bd9d71395339ca424bb4fd1a53ef35 (patch)
tree	e6cf9f4a9fb60554d6d0eab706c8059af91e1eb3
parent	14046c7ba69339ced152c2a4c7bdcae589f4eda1 (diff)
download	ffmpeg-96d4eaf592bd9d71395339ca424bb4fd1a53ef35.tar.gz