[FFmpeg-cvslog] avformat/mspdec: Check packet_size more completely

Michael Niedermayer git at videolan.org
Wed Mar 3 17:55:05 EET 2021


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Mar  3 11:00:23 2021 +0100| [787501db16cbe6874ad42acd539fa4595dd64e66] | committer: Michael Niedermayer

avformat/mspdec: Check packet_size more completely

Fixes: OOM
Fixes: 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488
Fixes: 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=787501db16cbe6874ad42acd539fa4595dd64e66
---

 libavformat/mspdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/mspdec.c b/libavformat/mspdec.c
index b81d835a63..4845eb3729 100644
--- a/libavformat/mspdec.c
+++ b/libavformat/mspdec.c
@@ -70,11 +70,12 @@ static int msp_read_header(AVFormatContext *s)
 
     if (st->codecpar->codec_id == AV_CODEC_ID_RAWVIDEO) {
         cntx->packet_size = av_image_get_buffer_size(st->codecpar->format, st->codecpar->width, st->codecpar->height, 1);
-        if (cntx->packet_size < 0)
-            return cntx->packet_size;
     } else
         cntx->packet_size = 2 * st->codecpar->height;
 
+    if (cntx->packet_size <= 0)
+        return cntx->packet_size < 0 ? cntx->packet_size : AVERROR_INVALIDDATA;
+
     return 0;
 }
 



More information about the ffmpeg-cvslog mailing list