aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-08-10 17:34:37 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-12-06 20:30:57 +0100
commit9a46d72235801aebe020b69b0554b601515b8003 (patch)
tree2fcd9a91681c3b7e27d7d05f65c4ef4a082381a8
parentdb0b4479050ec0aa7c6f3697389b713790810ef8 (diff)
downloadffmpeg-9a46d72235801aebe020b69b0554b601515b8003.tar.gz
avcodec/cavsdec: Limit the number of access units per packet to 2
Fixes: Timeout (122sec -> 13ms) Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 37bc8e3249c88b733bcc0d8c74cdf668292e4d63) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavcodec/cavsdec.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 2d64f9d7cc..f470a13a91 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1207,6 +1207,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
int input_size, ret;
const uint8_t *buf_end;
const uint8_t *buf_ptr;
+ int frame_start = 0;
if (buf_size == 0) {
if (!h->low_delay && h->DPB[0].f->data[0]) {
@@ -1240,6 +1241,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
h->got_keyframe = 1;
}
case PIC_PB_START_CODE:
+ if (frame_start > 1)
+ return AVERROR_INVALIDDATA;
+ frame_start ++;
if (*got_frame)
av_frame_unref(data);
*got_frame = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-18 08:19:24 +0000