On 6/3/20 4:19 PM, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: > 22692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5678686190960640 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/wavpack.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c > index ead57063c8..f77548e5a5 100644 > --- a/libavcodec/wavpack.c > +++ b/libavcodec/wavpack.c > @@ -1129,6 +1129,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, > int block_no, > else > sample_fmt = AV_SAMPLE_FMT_S32P; > > + if (wc->ch_offset && avctx->sample_fmt != sample_fmt) > + return AVERROR_INVALIDDATA; > + > bpp = av_get_bytes_per_sample(sample_fmt); > orig_bpp = ((s->frame_flags & 0x03) + 1) << 3; > multiblock = (s->frame_flags & WV_SINGLE_BLOCK) != WV_SINGLE_BLOCK;
Looks reasonable to me and passes my local test suite. Thanks! -David _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
