Michael Niedermayer: > Fixes: Timeout (>20sec -> 56ms) > Fixes: > 26995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5107217080254464 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/cri.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/cri.c b/libavcodec/cri.c > index dafbc1f1be..9bcd2ebfc6 100644 > --- a/libavcodec/cri.c > +++ b/libavcodec/cri.c > @@ -80,10 +80,13 @@ static void unpack_10bit(GetByteContext *gb, uint16_t > *dst, int shift, > int pos = 0; > > while (count > 0) { > - uint32_t a0 = bytestream2_get_le32(gb); > - uint32_t a1 = bytestream2_get_le32(gb); > - uint32_t a2 = bytestream2_get_le32(gb); > - uint32_t a3 = bytestream2_get_le32(gb); > + uint32_t a0, a1,a2,a3; > + if (bytestream2_get_bytes_left(gb) < 4) > + break; > + a0 = bytestream2_get_le32(gb); > + a1 = bytestream2_get_le32(gb); > + a2 = bytestream2_get_le32(gb); > + a3 = bytestream2_get_le32(gb); > dst[pos] = (((a0 >> 1) & 0xE00) | (a0 & 0x1FF)) << shift; > pos++; > if (pos >= w) { > Wouldn't it make sense to check for 16 bytes to be left given that that's the amount that is read immediately afterwards? And if you check for this, you could just use bytestream2_get_le32u().
- Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
