[FFmpeg-devel] [PATCH] avcodec/escape124: Check buf_size against num_superblocks
Michael Niedermayer
michael at niedermayer.cc
Mon Jun 25 03:33:12 EEST 2018
Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/escape124.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
index eb051eba54..14f9396332 100644
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
// This call also guards the potential depth reads for the
// codebook unpacking.
- if (get_bits_left(&gb) < 64)
+ // Check if the amount we will read minimally is available on input.
+ // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320
+ // represent a lower bound of the space needed for skiped superblocks. Non
+ // skipped SBs need more space.
+ if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)
return -1;
frame_flags = get_bits_long(&gb, 32);
--
2.18.0
More information about the ffmpeg-devel
mailing list