mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-19 05:49:09 +02:00
7d1d375245
Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
90 lines
2.8 KiB
C
90 lines
2.8 KiB
C
/*
|
|
* PNM image parser
|
|
* Copyright (c) 2002, 2003 Fabrice Bellard
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#include "libavutil/imgutils.h"
|
|
|
|
#include "parser.h" //for ParseContext
|
|
#include "pnm.h"
|
|
|
|
|
|
static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx,
|
|
const uint8_t **poutbuf, int *poutbuf_size,
|
|
const uint8_t *buf, int buf_size)
|
|
{
|
|
ParseContext *pc = s->priv_data;
|
|
PNMContext pnmctx;
|
|
int next;
|
|
|
|
for (; pc->overread > 0; pc->overread--) {
|
|
pc->buffer[pc->index++]= pc->buffer[pc->overread_index++];
|
|
}
|
|
retry:
|
|
if (pc->index) {
|
|
pnmctx.bytestream_start =
|
|
pnmctx.bytestream = pc->buffer;
|
|
pnmctx.bytestream_end = pc->buffer + pc->index;
|
|
} else {
|
|
pnmctx.bytestream_start =
|
|
pnmctx.bytestream = (uint8_t *) buf; /* casts avoid warnings */
|
|
pnmctx.bytestream_end = (uint8_t *) buf + buf_size;
|
|
}
|
|
if (ff_pnm_decode_header(avctx, &pnmctx) < 0) {
|
|
if (pnmctx.bytestream < pnmctx.bytestream_end) {
|
|
if (pc->index) {
|
|
pc->index = 0;
|
|
} else {
|
|
buf++;
|
|
buf_size--;
|
|
}
|
|
goto retry;
|
|
}
|
|
next = END_NOT_FOUND;
|
|
} else if (pnmctx.type < 4) {
|
|
next = END_NOT_FOUND;
|
|
} else {
|
|
int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
|
|
next = pnmctx.bytestream - pnmctx.bytestream_start;
|
|
if (ret >= 0)
|
|
next += ret;
|
|
if (pnmctx.bytestream_start != buf)
|
|
next -= pc->index;
|
|
if (next > buf_size)
|
|
next = END_NOT_FOUND;
|
|
}
|
|
|
|
if (ff_combine_frame(pc, next, &buf, &buf_size) < 0) {
|
|
*poutbuf = NULL;
|
|
*poutbuf_size = 0;
|
|
return buf_size;
|
|
}
|
|
*poutbuf = buf;
|
|
*poutbuf_size = buf_size;
|
|
return next;
|
|
}
|
|
|
|
AVCodecParser ff_pnm_parser = {
|
|
.codec_ids = { AV_CODEC_ID_PGM, AV_CODEC_ID_PGMYUV, AV_CODEC_ID_PPM,
|
|
AV_CODEC_ID_PBM, AV_CODEC_ID_PAM },
|
|
.priv_data_size = sizeof(ParseContext),
|
|
.parser_parse = pnm_parse,
|
|
.parser_close = ff_parse_close,
|
|
};
|