aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/zmbv.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-09-18 00:28:37 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-09-19 00:46:41 +0200
commite33b28cc79d164fff22bfee750c9283587c00bc4 (patch)
tree50360a0426d66a5cf041ffbb6f2abe63c07dcab9 /libavcodec/zmbv.c
parent3d201b83cda03fd9e866acafee82d7ce88260e66 (diff)
downloadffmpeg-e33b28cc79d164fff22bfee750c9283587c00bc4.tar.gz
avcodec/zmbv: Check that the decompressed data size is correct
This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/zmbv.c')
-rw-r--r--libavcodec/zmbv.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 177993d0a6..79e0892070 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -409,6 +409,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
int zret = Z_OK; // Zlib return code
int len = buf_size;
int hi_ver, lo_ver, ret;
+ int expected_size;
/* parse header */
if (len < 1)
@@ -510,6 +511,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8));
c->decode_intra= decode_intra;
}
+ if (c->flags & ZMBV_KEYFRAME) {
+ expected_size = avctx->width * avctx->height * (c->bpp / 8);
+ } else {
+ expected_size = (c->bx * c->by * 2 + 3) & ~3;
+ }
+ if (avctx->pix_fmt == AV_PIX_FMT_PAL8 &&
+ (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME)))
+ expected_size += 768;
if (!c->decode_intra) {
av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n");
@@ -539,6 +548,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
}
c->decomp_len = c->zstream.total_out;
}
+ if (expected_size > c->decomp_len ||
+ (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) {
+ av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size);
+ return AVERROR_INVALIDDATA;
+ }
if (c->flags & ZMBV_KEYFRAME) {
frame->key_frame = 1;
frame->pict_type = AV_PICTURE_TYPE_I;