[FFmpeg-cvslog] avcodec/wnv1: More strict buffer size check

Michael Niedermayer git at videolan.org
Tue Jun 6 01:06:16 EEST 2017


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sun May 28 03:18:02 2017 +0200| [19556586d50817c07eb16a5c135d3e17d7e7c71c] | committer: Michael Niedermayer

avcodec/wnv1: More strict buffer size check

This requires at least 25% of a picture to allocate and decode it

Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19556586d50817c07eb16a5c135d3e17d7e7c71c
---

 libavcodec/wnv1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 126c01a02d..915e9c7dc9 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx,
     int prev_y = 0, prev_u = 0, prev_v = 0;
     uint8_t *rbuf;
 
-    if (buf_size <= 8) {
+    if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
         av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
         return AVERROR_INVALIDDATA;
     }



More information about the ffmpeg-cvslog mailing list