virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

avcodec/cdtoons: Fix off by 4 check on diff_size

Browse Source 
Fixes: out of array read
Fixes: 20742/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5738148607033344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-02-20 18:51:36 +01:00
parent 4c31db5a32
commit d2aff350bc
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/cdtoons.c
View File

@ -269,7 +269,7 @@ static int cdtoons_decode_frame(AVCodecContext *avctx, void *data,
diff_size = bytestream_get_be32(&buf); diff_size = bytestream_get_be32(&buf);
width = bytestream_get_be16(&buf); width = bytestream_get_be16(&buf);
height = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf);
if (diff_size < 4 || diff_size - 4 > eod - buf) { if (diff_size < 8 || diff_size - 4 > eod - buf) {
av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out of data for Diff frame data.\n"); av_log(avctx, AV_LOG_WARNING, "Ran (seriously) out of data for Diff frame data.\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }