diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-01 22:54:15 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-04 19:52:23 +0200 |
commit | d2657d225c14fcb560199ef0cefe34f76270ad92 (patch) | |
tree | f0c7d81460bc4e11bd5ed5c8377d40022b928e62 | |
parent | c1c3a14073b33f790075f2884ea5c64451a6c876 (diff) | |
download | ffmpeg-d2657d225c14fcb560199ef0cefe34f76270ad92.tar.gz |
avcodec/flicvideo: Check for chunk overread
Fixes integer overflow
Fixes: 1292/clusterfuzz-testcase-minimized-5795512143839232
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/flicvideo.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index b1b7b5a42f..7f9b871dc7 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -444,8 +444,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; } - if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0) + if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) { bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); + } else { + av_log(avctx, AV_LOG_ERROR, "Chunk overread\n"); + break; + } frame_size -= chunk_size; num_chunks--; @@ -742,6 +746,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, break; } + if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) { + bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); + } else { + av_log(avctx, AV_LOG_ERROR, "Chunk overread\n"); + break; + } + frame_size -= chunk_size; num_chunks--; } @@ -1016,6 +1027,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, break; } + if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) { + bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2)); + } else { + av_log(avctx, AV_LOG_ERROR, "Chunk overread\n"); + break; + } + frame_size -= chunk_size; num_chunks--; } |