diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2018-09-18 00:28:37 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-09-19 00:46:41 +0200 |
commit | e33b28cc79d164fff22bfee750c9283587c00bc4 (patch) | |
tree | 50360a0426d66a5cf041ffbb6f2abe63c07dcab9 /libavcodec/zmbv.c | |
parent | 3d201b83cda03fd9e866acafee82d7ce88260e66 (diff) | |
download | ffmpeg-e33b28cc79d164fff22bfee750c9283587c00bc4.tar.gz |
avcodec/zmbv: Check that the decompressed data size is correct
This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.
Fixes: Timeout
Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/zmbv.c')
-rw-r--r-- | libavcodec/zmbv.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 177993d0a6..79e0892070 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -409,6 +409,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int expected_size; /* parse header */ if (len < 1) @@ -510,6 +511,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } + if (c->flags & ZMBV_KEYFRAME) { + expected_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + expected_size = (c->bx * c->by * 2 + 3) & ~3; + } + if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && + (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) + expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -539,6 +548,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (expected_size > c->decomp_len || + (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; |