[FFmpeg-cvslog] avcodec/mjpegdec: Check that reference frame matches the current frame

Michael Niedermayer git at videolan.org
Tue Jun 6 01:10:55 EEST 2017


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Mon Jun  5 22:23:15 2017 +0200| [fb95f1d9d6d7b06060b96c2fc0eacdd2dbe4626d] | committer: Michael Niedermayer

avcodec/mjpegdec: Check that reference frame matches the current frame

Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb95f1d9d6d7b06060b96c2fc0eacdd2dbe4626d
---

 libavcodec/mjpegdec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index c16baa2823..b51ebf450c 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1469,6 +1469,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
         return -1;
     }
 
+    if (reference) {
+        if (reference->width  != s->picture_ptr->width  ||
+            reference->height != s->picture_ptr->height ||
+            reference->format != s->picture_ptr->format) {
+            av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
     av_assert0(s->picture_ptr->data[0]);
     /* XXX: verify len field validity */
     len = get_bits(&s->gb, 16);



More information about the ffmpeg-cvslog mailing list