ffmpeg | branch: release/4.1 | Michael Niedermayer <mich...@niedermayer.cc> | Wed Jan 23 00:16:02 2019 +0100| [0f1332309aff3924fcd740cf36c61f1f9e6f026e] | committer: Michael Niedermayer
avcodec/rasc: Check uncompressed dlta size We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet that the data is invalid. Fixes: Out of memory Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit f4079d5174c20eddbc99eef6ebe98d411f8014c5) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f1332309aff3924fcd740cf36c61f1f9e6f026e --- libavcodec/rasc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 1b607ac31e..6e32c1540e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx, compression = bytestream2_get_le32(gb); if (compression == 1) { + if (w * h * s->bpp * 3 < uncompressed_size) + return AVERROR_INVALIDDATA; ret = decode_zlib(avctx, avpkt, size, uncompressed_size); if (ret < 0) return ret; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
