From 0465fc58e86bd02d8fd7f4046209d715a8ea43bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 19:12:25 +0100 Subject: [PATCH] avcodec/pngdec: Check bit depth for validity Fixes: runtime error: shift exponent 132 is too large for 32-bit type 'int' Fixes: 609/clusterfuzz-testcase-4825202619842560 See 11.2.2 IHDR Image header Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4279613a2652cdf2bee564f4b7244567e5ba91ba) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 0393c52322..a3973870e3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s)