avcodec/fitsdec: Prevent division by 0 with huge data_max

Fixes: division by 0 Fixes: 15657/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5738154838982656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit cfa193779103c97bbfc28273a0ab12c114b6786d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-29 22:00:58 +02:00 · 2019-07-15 23:42:42 +02:00 · 2019-07-15 23:42:42 +02:00 · ae4bfed934
commit ae4bfed934
parent 3ba1413f04
1 changed files with 8 additions and 1 deletions
--- a/libavcodec/fitsdec.c
+++ b/libavcodec/fitsdec.c
@ -195,6 +195,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    uint8_t *dst8;
    uint16_t *dst16;
    uint64_t t;
    double scale;
    FITSHeader header;
    FITSContext * fitsctx = avctx->priv_data;
@ -204,6 +205,12 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
    if (ret < 0)
        return ret;
    scale = header.data_max - header.data_min;
    if (scale <= 0 || !isfinite(scale)) {
        scale = 1;
    }
    scale = 1/scale;
    if (header.rgb) {
        if (header.bitpix == 8) {
            if (header.naxisn[2] == 3) {
@ -272,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            for (j = 0; j < avctx->width; j++) { \
                t = rd; \
                if (!header.blank_found || t != header.blank) { \
-                    *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \
+                    *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \
                } else { \
                    *dst++ = fitsctx->blank_val; \
                } \