[FFmpeg-devel] [PATCH 1/2] avcodec/vp9: Check in decode_tiles() if there is data remaining

Michael Niedermayer michael at niedermayer.cc
Sun Aug 5 04:16:41 EEST 2018


Fixes: Timeout
Fixes: 9330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5707345857347584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/vp9.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index b1178c9c0c..4ca51ec108 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -1302,6 +1302,9 @@ static int decode_tiles(AVCodecContext *avctx,
                         memset(lflvl_ptr->mask, 0, sizeof(lflvl_ptr->mask));
                     }
 
+                    if (td->c->end <= td->c->buffer && td->c->bits >= 0) {
+                        return AVERROR_INVALIDDATA;
+                    }
                     if (s->pass == 2) {
                         decode_sb_mem(td, row, col, lflvl_ptr,
                                       yoff2, uvoff2, BL_64X64);
-- 
2.18.0



More information about the ffmpeg-devel mailing list