diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2019-01-23 00:16:02 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-01-31 00:24:38 +0100 |
| commit | f4079d5174c20eddbc99eef6ebe98d411f8014c5 (patch) | |
| tree | 5b21c5f696ec9a8fa0be20098bb2dc7bc0081153 | |
| parent | db1c4acd02af4de5dfbea6012c296470679aa7a6 (diff) | |
| download | ffmpeg-f4079d5174c20eddbc99eef6ebe98d411f8014c5.tar.gz | |
avcodec/rasc: Check uncompressed dlta size
We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet
that the data is invalid.
Fixes: Out of memory
Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/rasc.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 1b607ac31e..6e32c1540e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx, compression = bytestream2_get_le32(gb); if (compression == 1) { + if (w * h * s->bpp * 3 < uncompressed_size) + return AVERROR_INVALIDDATA; ret = decode_zlib(avctx, avpkt, size, uncompressed_size); if (ret < 0) return ret; |