[FFmpeg-devel] [PATCH 2/2] avcodec/cdtoons: Fix off by 4 check on diff_size
Paul B Mahol
onemda at gmail.com
Thu Feb 20 21:11:34 EET 2020
Are you sure this is correct?
Does asan reports exactly overread by 4?
On 2/20/20, Michael Niedermayer <michael at niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes:
> 20742/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5738148607033344
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/cdtoons.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c
> index dc4fa6bf0b..d5dce6351f 100644
> --- a/libavcodec/cdtoons.c
> +++ b/libavcodec/cdtoons.c
> @@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext *avctx,
> void *data,
> diff_size = bytestream_get_be32(&buf);
> width = bytestream_get_be16(&buf);
> height = bytestream_get_be16(&buf);
> - if (diff_size < 4 || diff_size - 4 > eod - buf) {
> + if (diff_size < 8 || diff_size - 4 > eod - buf) {
> av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out of
> data for Diff frame data.\n");
> return AVERROR_INVALIDDATA;
> }
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list