[FFmpeg-devel] [PATCH 7/7] avcodec/cri: check for available input in unpack_10bit()
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Tue Nov 10 02:46:10 EET 2020
Michael Niedermayer:
> Fixes: Timeout (>20sec -> 56ms)
> Fixes: 26995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5107217080254464
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/cri.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/cri.c b/libavcodec/cri.c
> index dafbc1f1be..9bcd2ebfc6 100644
> --- a/libavcodec/cri.c
> +++ b/libavcodec/cri.c
> @@ -80,10 +80,13 @@ static void unpack_10bit(GetByteContext *gb, uint16_t *dst, int shift,
> int pos = 0;
>
> while (count > 0) {
> - uint32_t a0 = bytestream2_get_le32(gb);
> - uint32_t a1 = bytestream2_get_le32(gb);
> - uint32_t a2 = bytestream2_get_le32(gb);
> - uint32_t a3 = bytestream2_get_le32(gb);
> + uint32_t a0, a1,a2,a3;
> + if (bytestream2_get_bytes_left(gb) < 4)
> + break;
> + a0 = bytestream2_get_le32(gb);
> + a1 = bytestream2_get_le32(gb);
> + a2 = bytestream2_get_le32(gb);
> + a3 = bytestream2_get_le32(gb);
> dst[pos] = (((a0 >> 1) & 0xE00) | (a0 & 0x1FF)) << shift;
> pos++;
> if (pos >= w) {
>
Wouldn't it make sense to check for 16 bytes to be left given that
that's the amount that is read immediately afterwards? And if you check
for this, you could just use bytestream2_get_le32u().
- Andreas
More information about the ffmpeg-devel
mailing list