1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00

avcodec/pafvideo: Check for bitstream end in decode_0()

Fixes: Timeout
Fixes: 3529/clusterfuzz-testcase-5057068371279872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-10-13 03:06:53 +02:00
parent ad56e8057d
commit 9c85329cd0

View File

@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
dend = c->frame[page] + c->frame_size; dend = c->frame[page] + c->frame_size;
offset = (x & 0x7F) * 2; offset = (x & 0x7F) * 2;
j = bytestream2_get_le16(&c->gb) + offset; j = bytestream2_get_le16(&c->gb) + offset;
if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16)
return AVERROR_INVALIDDATA;
do { do {
offset++; offset++;
if (dst + 3 * c->width + 4 > dend) if (dst + 3 * c->width + 4 > dend)
@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
do { do {
set_src_position(c, &src, &send); set_src_position(c, &src, &send);
if ((src + 3 * c->width + 4 > send) || if ((src + 3 * c->width + 4 > send) ||
(dst + 3 * c->width + 4 > dend)) (dst + 3 * c->width + 4 > dend) ||
bytestream2_get_bytes_left(&c->gb) < 4)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
copy_block4(dst, src, c->width, c->width, 4); copy_block4(dst, src, c->width, c->width, 4);
i++; i++;