ffmpeg | branch: master | Michael Niedermayer <[email protected]> | Sat May 5 22:00:01 2018 +0200| [cb2f7ea96b4f6e03ebf0c0563677745fc65f148e] | committer: Michael Niedermayer
avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb2f7ea96b4f6e03ebf0c0563677745fc65f148e --- libavcodec/fic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 7f70ee47e6..c288c9771b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -338,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } + if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { + skip_cursor = 1; + } + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) _______________________________________________ ffmpeg-cvslog mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
