mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-11-26 19:01:44 +02:00
avcodec/pafvideo: Check for bitstream end in decode_0()
Fixes: Timeout Fixes: 3529/clusterfuzz-testcase-5057068371279872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
ad56e8057d
commit
9c85329cd0
@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
|
|||||||
dend = c->frame[page] + c->frame_size;
|
dend = c->frame[page] + c->frame_size;
|
||||||
offset = (x & 0x7F) * 2;
|
offset = (x & 0x7F) * 2;
|
||||||
j = bytestream2_get_le16(&c->gb) + offset;
|
j = bytestream2_get_le16(&c->gb) + offset;
|
||||||
|
if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
do {
|
do {
|
||||||
offset++;
|
offset++;
|
||||||
if (dst + 3 * c->width + 4 > dend)
|
if (dst + 3 * c->width + 4 > dend)
|
||||||
@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code)
|
|||||||
do {
|
do {
|
||||||
set_src_position(c, &src, &send);
|
set_src_position(c, &src, &send);
|
||||||
if ((src + 3 * c->width + 4 > send) ||
|
if ((src + 3 * c->width + 4 > send) ||
|
||||||
(dst + 3 * c->width + 4 > dend))
|
(dst + 3 * c->width + 4 > dend) ||
|
||||||
|
bytestream2_get_bytes_left(&c->gb) < 4)
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
copy_block4(dst, src, c->width, c->width, 4);
|
copy_block4(dst, src, c->width, c->width, 4);
|
||||||
i++;
|
i++;
|
||||||
|
Loading…
Reference in New Issue
Block a user