diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2019-12-12 23:13:02 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-01-18 18:35:57 +0100 |
| commit | e7af64178a48b30bade107c2d2938b48bd86eb82 (patch) | |
| tree | 27d7069821588309a3e9c99682906fc1b3b64251 /libavcodec | |
| parent | 934cc1faf4b474542a18a4ae28cb5e6e4ce67d88 (diff) | |
| download | ffmpeg-e7af64178a48b30bade107c2d2938b48bd86eb82.tar.gz | |
avcodec/iff: Check input space before loop in decode_delta_d()
Fixes: Timeout (114sec ->108ms)
Fixes: 19290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5740598116220928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/iff.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/iff.c b/libavcodec/iff.c index f82141d2e7..d826e78089 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1354,6 +1354,9 @@ static void decode_delta_d(uint8_t *dst, bytestream2_init(&gb, buf + ofssrc, buf_end - (buf + ofssrc)); entries = bytestream2_get_be32(&gb); + if (entries * 8LL > bytestream2_get_bytes_left(&gb)) + return; + while (entries && bytestream2_get_bytes_left(&gb) >= 8) { int32_t opcode = bytestream2_get_be32(&gb); unsigned offset = bytestream2_get_be32(&gb); |