aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-01-21 00:39:43 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2019-01-28 01:09:38 +0100
commitfcbda8af175a1f305c46d6d46a4f90be4aa630ae (patch)
tree1115d8dd0389a03df064b9cdcf43d3c8578c8bf5
parent4523cc5e75c8ecfba8975d16e96c29f9bf70973f (diff)
downloadffmpeg-fcbda8af175a1f305c46d6d46a4f90be4aa630ae.tar.gz
avcodec/huffyuvdec: Check slice_offset/size
Fixes: out of array access Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208 Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/huffyuvdec.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 8226c07743..27f650d7bf 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
if (nb_slices > 1) {
slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8);
slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4);
+
+ if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) ||
+ slice_offset + (int64_t)slice_size > buf_size)
+ return AVERROR_INVALIDDATA;
+
y_offset = height - (slice + 1) * slice_height;
s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer,
(const uint32_t *)(buf + slice_offset), slice_size / 4);