avformat/vividas: improve extradata packing checks in track_header()

Fixes: out of array accesses Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-10-28 20:11:54 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-11-04 23:30:53 +0100
commit: 27a99e2c7d450fef15594671eef4465c8a166bd7 (patch)
tree: eeeca163a5d147ad2d437ee1d6d7f37f00f25f81 /libavformat
parent: 437b7302b09a04e0fbfcd594114b52c5c6d89d32 (diff)
download: ffmpeg-27a99e2c7d450fef15594671eef4465c8a166bd7.tar.gz
1 files changed, 6 insertions, 6 deletions
diff --git a/libavformat/vividas.c b/libavformat/vividas.c
index 83d0ed1167..46c66bf9a0 100644
--- a/libavformat/vividas.c
+++ b/libavformat/vividas.c
@@ -28,6 +28,7 @@
  * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/intreadwrite.h"
 #include "avio_internal.h"
 #include "avformat.h"
@@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
 
         if (avio_tell(pb) < off) {
             int num_data;
-            int xd_size = 0;
+            int xd_size = 1;
             int data_len[256];
             int offset = 1;
             uint8_t *p;
@@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
                     return AVERROR_INVALIDDATA;
                 }
                 data_len[j] = len;
-                xd_size += len;
+                xd_size += len + 1 + len/255;
             }
 
-            ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 255);
+            ret = ff_alloc_extradata(st->codecpar, xd_size);
             if (ret < 0)
                 return ret;
 
@@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
 
             for (j = 0; j < num_data - 1; j++) {
                 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
-                if (delta > data_len[j]) {
-                    return AVERROR_INVALIDDATA;
-                }
+                av_assert0(delta <= xd_size - offset);
                 offset += delta;
             }
 
@@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *
                     av_freep(&st->codecpar->extradata);
                     break;
                 }
+                av_assert0(data_len[j] <= xd_size - offset);
                 offset += data_len[j];
             }
author	Michael Niedermayer <michael@niedermayer.cc>	2020-10-28 20:11:54 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-11-04 23:30:53 +0100
commit	27a99e2c7d450fef15594671eef4465c8a166bd7 (patch)
tree	eeeca163a5d147ad2d437ee1d6d7f37f00f25f81 /libavformat
parent	437b7302b09a04e0fbfcd594114b52c5c6d89d32 (diff)
download	ffmpeg-27a99e2c7d450fef15594671eef4465c8a166bd7.tar.gz