ffmpeg | branch: release/3.2 | Michael Niedermayer <mich...@niedermayer.cc> | Mon Jan 23 01:25:27 2017 +0100| [bd6c1d5149fbc4f2a0200ad99e7f56f4fb7d518a] | committer: Michael Niedermayer
avcodec/pngdec: Fix off by 1 size in decode_zbuf() Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd6c1d5149fbc4f2a0200ad99e7f56f4fb7d518a --- libavcodec/pngdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 36275ae..7ade0ce 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
