aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/ffv1dec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2022-07-03 14:19:54 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2022-07-12 21:55:22 +0200
commit78b95530f0a1f04864079614b251b765b1ee77ec (patch)
tree0b6d5ed38ae11f1f56017edd37d1b399dad2c91a /libavcodec/ffv1dec.c
parentba0c3d1db420dfaeaec44a8bbd40ec5593dccb04 (diff)
downloadffmpeg-78b95530f0a1f04864079614b251b765b1ee77ec.tar.gz
avcodec/ffv1dec: Check for min packet size
Fixes: Timeout Fixes: 48619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5793597923917824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/ffv1dec.c')
-rw-r--r--libavcodec/ffv1dec.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 7731c15c87..01ddcaa512 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -879,6 +879,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
p->key_frame = 0;
}
+ if (f->ac != AC_GOLOMB_RICE) {
+ if (buf_size < avctx->width * avctx->height / (128*8))
+ return AVERROR_INVALIDDATA;
+ } else {
+ if (buf_size < avctx->height / 8)
+ return AVERROR_INVALIDDATA;
+ }
+
ret = ff_thread_get_ext_buffer(avctx, &f->picture, AV_GET_BUFFER_FLAG_REF);
if (ret < 0)
return ret;