[FFmpeg-cvslog] avcodec/iff: limit written bytes to twice the output array size in decode_delta_l()

Michael Niedermayer git at videolan.org
Mon Nov 29 19:42:27 EET 2021


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Oct  2 23:37:05 2021 +0200| [3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b] | committer: Michael Niedermayer

avcodec/iff: limit written bytes to twice the output array size in  decode_delta_l()

Fixes: Timeout
Fixes: 39436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6624915520880640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b
---

 libavcodec/iff.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 6a4c466b44..1dcf0e00ed 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -1456,6 +1456,7 @@ static void decode_delta_l(uint8_t *dst,
     int planepitch_byte = (w + 7) / 8;
     int planepitch = ((w + 15) / 16) * 2;
     int pitch = planepitch * bpp;
+    int count = 0;
 
     if (buf_end - buf <= 64)
         return;
@@ -1487,6 +1488,8 @@ static void decode_delta_l(uint8_t *dst,
             int16_t cnt = bytestream2_get_be16(&ogb);
             uint16_t data;
 
+            if (count > dst_size)
+                break;
             offset = ((2 * offset) / planepitch_byte) * pitch + ((2 * offset) % planepitch_byte) + k * planepitch;
             if (cnt < 0) {
                 if (bytestream2_get_bytes_left(&dgb) < 2)
@@ -1494,6 +1497,7 @@ static void decode_delta_l(uint8_t *dst,
                 bytestream2_seek_p(&pb, offset, SEEK_SET);
                 cnt = -cnt;
                 data = bytestream2_get_be16(&dgb);
+                count += cnt;
                 for (i = 0; i < cnt; i++) {
                     bytestream2_put_be16(&pb, data);
                     bytestream2_skip_p(&pb, dstpitch - 2);
@@ -1502,6 +1506,7 @@ static void decode_delta_l(uint8_t *dst,
                 if (bytestream2_get_bytes_left(&dgb) < 2*cnt)
                     break;
                 bytestream2_seek_p(&pb, offset, SEEK_SET);
+                count += cnt;
                 for (i = 0; i < cnt; i++) {
                     data = bytestream2_get_be16(&dgb);
                     bytestream2_put_be16(&pb, data);



More information about the ffmpeg-cvslog mailing list