virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-03 05:10:03 +02:00
Code Issues Releases Activity

avcodec/pictordec: Check that the image fits in the input

Browse Source 
Fixes: Timeout
Fixes: 53438/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5458939919859712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2022-11-22 21:54:51 +01:00
parent 5185d5656b
commit 1fdb65d2b7
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
libavcodec/pictordec.c
View File

@ -162,6 +162,25 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
return -1;
/*
There are 2 coding modes, RLE and RAW.
Undamaged RAW should be proportional to W*H and thus bigger than RLE
RLE codes the most compressed runs by
1 byte for val (=marker)
1 byte run (=0)
2 bytes run
1 byte val
thats 5 bytes and the maximum run we can code is 65535
The RLE decoder can exit prematurly but it does not on any image available
Based on this the formula is assumed correct for undamaged images.
If an image is found which exploits the special end
handling and breaks this formula then this needs to be adapted.
*/
if (bytestream2_get_bytes_left(&s->g) < s->width * s->height / 65535 * 5)
return AVERROR_INVALIDDATA;
if (s->width != avctx->width || s->height != avctx->height) {
ret = ff_set_dimensions(avctx, s->width, s->height);
if (ret < 0)