diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2024-06-16 19:33:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2024-06-26 20:49:35 +0200 |
| commit | 4a7220bd5c1871827ee0edba14fc88f63173e169 (patch) | |
| tree | a08cf274e9b64d4396f3ac3284ef1105318fbaf1 /libavcodec | |
| parent | d34d4b6a7ce7fa72239c47d22ab6592d0687ac86 (diff) | |
| download | ffmpeg-4a7220bd5c1871827ee0edba14fc88f63173e169.tar.gz | |
avcodec/targaenc: Allocate space for the palette
Fixes: out of array access
Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/targaenc.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index d9c500b97d..8f496c62bd 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include <string.h> +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -89,10 +90,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45)) < 0) + if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45 + maxpal)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -125,6 +127,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: |