diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2019-03-13 21:48:25 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-03-20 21:12:45 +0100 |
commit | 9d20901b92b551412f7876738176f00fb7177ee7 (patch) | |
tree | 9cceebf50ccc5cc2af044c199a59ffded3dcd9e4 | |
parent | 8f63fa4c2ec1cbdc92d3ebe29ff5b498e4acafdb (diff) | |
download | ffmpeg-9d20901b92b551412f7876738176f00fb7177ee7.tar.gz |
avcodec/arbc: Check nb_segments before allocating and copying frame
Fixes: Timeout (30sec -> 2sec)
Fixes: 13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/arbc.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c index 11942e1983..a8b0bb0d8b 100644 --- a/libavcodec/arbc.c +++ b/libavcodec/arbc.c @@ -117,6 +117,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (avpkt->size < 10) return AVERROR_INVALIDDATA; + bytestream2_init(&s->gb, avpkt->data, avpkt->size); + bytestream2_skip(&s->gb, 8); + nb_segments = bytestream2_get_le16(&s->gb); + if (nb_segments == 0) + keyframe = 0; + + if (7 * nb_segments > bytestream2_get_bytes_left(&s->gb)) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; @@ -126,12 +135,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, return ret; } - bytestream2_init(&s->gb, avpkt->data, avpkt->size); - bytestream2_skip(&s->gb, 8); - nb_segments = bytestream2_get_le16(&s->gb); - if (nb_segments == 0) - keyframe = 0; - for (int i = 0; i < nb_segments; i++) { int resolution_flag; int fill; |