diff options
| author | Kieran Kunhya <kieran@kunhya.com> | 2016-04-10 16:22:15 +0100 |
|---|---|---|
| committer | Kieran Kunhya <kieran@kunhya.com> | 2016-04-28 21:33:08 +0100 |
| commit | e9a9ca1936ea2853cdfb8913d44711d240eec60d (patch) | |
| tree | a14fd5583308246454ac8910a76c8363c1a6af31 | |
| parent | 3cb3dddeb49003cd7c1503889b60ce652aafd912 (diff) | |
| download | ffmpeg-e9a9ca1936ea2853cdfb8913d44711d240eec60d.tar.gz | |
avcodec/cfhd: Don't decode coefficients if no end of header tag found. Fixes fuzzed files such as the one in in ticket #5383
| -rw-r--r-- | libavcodec/cfhd.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index d3695689a9..d82eab832a 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -137,11 +137,17 @@ static void vert_filter(int16_t *output, int out_stride, int16_t *low, int low_s static void free_buffers(AVCodecContext *avctx) { CFHDContext *s = avctx->priv_data; - int i; + int i, j; for (i = 0; i < 4; i++) { av_freep(&s->plane[i].idwt_buf); av_freep(&s->plane[i].idwt_tmp); + + for (j = 0; j < 9; j++) + s->plane[i].subband[j] = NULL; + + for (j = 0; j < 8; j++) + s->plane[i].l_h[j] = NULL; } s->a_height = 0; s->a_width = 0; @@ -450,6 +456,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, int lowpass_a_height = s->plane[s->channel_num].band[0][0].a_height; int lowpass_a_width = s->plane[s->channel_num].band[0][0].a_width; + if (!got_buffer) { + av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n"); + ret = AVERROR(EINVAL); + goto end; + } + if (lowpass_height > lowpass_a_height || lowpass_width > lowpass_a_width || lowpass_a_width * lowpass_a_height * sizeof(int16_t) > bytestream2_get_bytes_left(&gb)) { av_log(avctx, AV_LOG_ERROR, "Too many lowpass coefficients\n"); @@ -489,6 +501,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, int level, run, coeff; int count = 0, bytes; + if (!got_buffer) { + av_log(avctx, AV_LOG_ERROR, "No end of header tag found\n"); + ret = AVERROR(EINVAL); + goto end; + } + if (highpass_height > highpass_a_height || highpass_width > highpass_a_width || a_expected < expected) { av_log(avctx, AV_LOG_ERROR, "Too many highpass coefficents\n"); ret = AVERROR(EINVAL); |