[FFmpeg-devel] [PATCH 1/8] avcodec/magicyuv: Check slice size before reading flags and pred
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Fri Oct 23 21:54:33 EEST 2020
Michael Niedermayer:
> Fixes: heap-buffer-overflow
> Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/magicyuv.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
> index ea1f727e5c..e2b7bdd326 100644
> --- a/libavcodec/magicyuv.c
> +++ b/libavcodec/magicyuv.c
> @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata,
> const uint8_t *slice = s->buf + s->slices[i][j].start;
> int flags, pred;
>
> + if (s->slices[i][j].size < 2)
> + return AVERROR_INVALIDDATA;
> +
> flags = bytestream_get_byte(&slice);
> pred = bytestream_get_byte(&slice);
>
>
It would be better to add this to line 625 to error out earlier (that's
where I forgot to check).
- Andreas
More information about the ffmpeg-devel
mailing list