aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-03-13 21:48:25 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2019-03-20 21:12:45 +0100
commit9d20901b92b551412f7876738176f00fb7177ee7 (patch)
tree9cceebf50ccc5cc2af044c199a59ffded3dcd9e4
parent8f63fa4c2ec1cbdc92d3ebe29ff5b498e4acafdb (diff)
downloadffmpeg-9d20901b92b551412f7876738176f00fb7177ee7.tar.gz
avcodec/arbc: Check nb_segments before allocating and copying frame
Fixes: Timeout (30sec -> 2sec) Fixes: 13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/arbc.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c
index 11942e1983..a8b0bb0d8b 100644
--- a/libavcodec/arbc.c
+++ b/libavcodec/arbc.c
@@ -117,6 +117,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
if (avpkt->size < 10)
return AVERROR_INVALIDDATA;
+ bytestream2_init(&s->gb, avpkt->data, avpkt->size);
+ bytestream2_skip(&s->gb, 8);
+ nb_segments = bytestream2_get_le16(&s->gb);
+ if (nb_segments == 0)
+ keyframe = 0;
+
+ if (7 * nb_segments > bytestream2_get_bytes_left(&s->gb))
+ return AVERROR_INVALIDDATA;
+
if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
return ret;
@@ -126,12 +135,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
return ret;
}
- bytestream2_init(&s->gb, avpkt->data, avpkt->size);
- bytestream2_skip(&s->gb, 8);
- nb_segments = bytestream2_get_le16(&s->gb);
- if (nb_segments == 0)
- keyframe = 0;
-
for (int i = 0; i < nb_segments; i++) {
int resolution_flag;
int fill;