[FFmpeg-cvslog] avcodec/hq_hqa: Check available space before reading slice offsets
Michael Niedermayer
git at videolan.org
Thu Jun 27 20:48:11 EEST 2019
ffmpeg | branch: release/4.1 | Michael Niedermayer <michael at niedermayer.cc> | Sat May 11 23:05:47 2019 +0200| [1d015d840b47643562541fdffd325b8d6622a436] | committer: Michael Niedermayer
avcodec/hq_hqa: Check available space before reading slice offsets
Fixes: Timeout (43sec -> 18sec)
Fixes: 14556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5673543024508928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 407e7c34ca8a3047e4f1b14287053638b4add68d)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d015d840b47643562541fdffd325b8d6622a436
---
libavcodec/hq_hqa.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index ec9da3e04f..90bafdc72a 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -248,6 +248,9 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
int width, height, quant;
const uint8_t *src = ctx->gbc.buffer;
+ if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+ return AVERROR_INVALIDDATA;
+
width = bytestream2_get_be16(&ctx->gbc);
height = bytestream2_get_be16(&ctx->gbc);
More information about the ffmpeg-cvslog
mailing list