diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-10 18:45:08 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-10 18:46:27 +0200 |
commit | 54aaadf648073149f1ac34f56cbde4e6c5aa22ef (patch) | |
tree | 9ddce83beedf0d99254b533797ce3f6a33cfe2f7 /libavcodec | |
parent | 50be8f2142509bd14a8c245266959f166eb5c5d0 (diff) | |
download | ffmpeg-54aaadf648073149f1ac34f56cbde4e6c5aa22ef.tar.gz |
avcodec/cfhd: Check band parameters before storing them
Fixes out of array read
Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/cfhd.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 57a8d2b76e..ed127de29e 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -317,22 +317,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->prescale_shift[2] = (data >> 6) & 0x7; av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data); } else if (tag == 27) { - s->plane[s->channel_num].band[0][0].width = data; - s->plane[s->channel_num].band[0][0].stride = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].width = data; + s->plane[s->channel_num].band[0][0].stride = data; } else if (tag == 28) { - s->plane[s->channel_num].band[0][0].height = data; av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data); if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) { av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[0][0].height = data; } else if (tag == 1) av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data); else if (tag == 10) { @@ -363,39 +363,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2); } } else if (tag == 41) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 42) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 49) { - s->plane[s->channel_num].band[s->level][s->subband_num].width = data; - s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].width = data; + s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8); } else if (tag == 50) { - s->plane[s->channel_num].band[s->level][s->subband_num].height = data; av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data); if (data < 3) { av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n"); ret = AVERROR(EINVAL); break; } + s->plane[s->channel_num].band[s->level][s->subband_num].height = data; } else if (tag == 71) { s->codebook = data; av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook); |