[FFmpeg-cvslog] avcodec/huffyuvdec: Check slice_offset/size
Michael Niedermayer
git at videolan.org
Mon Jan 28 02:24:19 EET 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Jan 21 00:39:43 2019 +0100| [fcbda8af175a1f305c46d6d46a4f90be4aa630ae] | committer: Michael Niedermayer
avcodec/huffyuvdec: Check slice_offset/size
Fixes: out of array access
Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208
Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fcbda8af175a1f305c46d6d46a4f90be4aa630ae
---
libavcodec/huffyuvdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 8226c07743..27f650d7bf 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
if (nb_slices > 1) {
slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8);
slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4);
+
+ if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) ||
+ slice_offset + (int64_t)slice_size > buf_size)
+ return AVERROR_INVALIDDATA;
+
y_offset = height - (slice + 1) * slice_height;
s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer,
(const uint32_t *)(buf + slice_offset), slice_size / 4);
More information about the ffmpeg-cvslog
mailing list