diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2022-07-03 14:19:54 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2022-07-12 21:55:22 +0200 |
commit | 78b95530f0a1f04864079614b251b765b1ee77ec (patch) | |
tree | 0b6d5ed38ae11f1f56017edd37d1b399dad2c91a /libavcodec/ffv1dec.c | |
parent | ba0c3d1db420dfaeaec44a8bbd40ec5593dccb04 (diff) | |
download | ffmpeg-78b95530f0a1f04864079614b251b765b1ee77ec.tar.gz |
avcodec/ffv1dec: Check for min packet size
Fixes: Timeout
Fixes: 48619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5793597923917824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/ffv1dec.c')
-rw-r--r-- | libavcodec/ffv1dec.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 7731c15c87..01ddcaa512 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -879,6 +879,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, p->key_frame = 0; } + if (f->ac != AC_GOLOMB_RICE) { + if (buf_size < avctx->width * avctx->height / (128*8)) + return AVERROR_INVALIDDATA; + } else { + if (buf_size < avctx->height / 8) + return AVERROR_INVALIDDATA; + } + ret = ff_thread_get_ext_buffer(avctx, &f->picture, AV_GET_BUFFER_FLAG_REF); if (ret < 0) return ret; |