aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-05-01 22:54:15 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-05-04 19:52:23 +0200
commitd2657d225c14fcb560199ef0cefe34f76270ad92 (patch)
treef0c7d81460bc4e11bd5ed5c8377d40022b928e62
parentc1c3a14073b33f790075f2884ea5c64451a6c876 (diff)
downloadffmpeg-d2657d225c14fcb560199ef0cefe34f76270ad92.tar.gz
avcodec/flicvideo: Check for chunk overread
Fixes integer overflow Fixes: 1292/clusterfuzz-testcase-minimized-5795512143839232 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/flicvideo.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index b1b7b5a42f..7f9b871dc7 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -444,8 +444,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
break;
}
- if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0)
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
frame_size -= chunk_size;
num_chunks--;
@@ -742,6 +746,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
break;
}
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
+ bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
+
frame_size -= chunk_size;
num_chunks--;
}
@@ -1016,6 +1027,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
break;
}
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
+ bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
+
frame_size -= chunk_size;
num_chunks--;
}