[FFmpeg-cvslog] avcodec/xpmdec: Check size before allocation to avoid truncation
Michael Niedermayer
git at videolan.org
Sun Feb 26 15:17:27 EET 2023
ffmpeg | branch: release/6.0 | Michael Niedermayer <michael at niedermayer.cc> | Thu Jan 12 22:05:07 2023 +0100| [1eb1acb62b5afe215643a55f06c16545e5b20fb6] | committer: Michael Niedermayer
avcodec/xpmdec: Check size before allocation to avoid truncation
Fixes:OOM
Fixes:out of array access (no testcase)
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1eb1acb62b5afe215643a55f06c16545e5b20fb6
---
libavcodec/xpmdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
index ff1f51dd32..2550afb9d6 100644
--- a/libavcodec/xpmdec.c
+++ b/libavcodec/xpmdec.c
@@ -354,6 +354,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
return AVERROR_INVALIDDATA;
}
+ if (size > SIZE_MAX / 4)
+ return AVERROR(ENOMEM);
+
size *= 4;
ptr += mod_strcspn(ptr, ",") + 1;
More information about the ffmpeg-cvslog
mailing list