aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-01-23 01:25:27 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2017-02-03 15:59:14 +0100
commit99c78466ff27311b2a06d874cb7bbd8b1cefc597 (patch)
treebaf09426e9ab5b0e383e65e1c450334c1b3cecc5 /libavcodec
parenta6639334df63639ae333f81c43098ed8ee360ee9 (diff)
downloadffmpeg-99c78466ff27311b2a06d874cb7bbd8b1cefc597.tar.gz
avcodec/pngdec: Fix off by 1 size in decode_zbuf()
Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/pngdec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 24318fbeaf..5443332277 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
av_bprint_init(bp, 0, -1);
while (zstream.avail_in > 0) {
- av_bprint_get_buffer(bp, 1, &buf, &buf_size);
- if (!buf_size) {
+ av_bprint_get_buffer(bp, 2, &buf, &buf_size);
+ if (buf_size < 2) {
ret = AVERROR(ENOMEM);
goto fail;
}
zstream.next_out = buf;
- zstream.avail_out = buf_size;
+ zstream.avail_out = buf_size - 1;
ret = inflate(&zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) {
ret = AVERROR_EXTERNAL;