On 9/27/2021 7:37 PM, Michael Niedermayer wrote:
Fixes: Timeout
Fixes:
39089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSNSIREN_fuzzer-6677219854909440
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/siren.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/siren.c b/libavcodec/siren.c
index 7f2b4678608..708990d6654 100644
--- a/libavcodec/siren.c
+++ b/libavcodec/siren.c
@@ -718,6 +718,9 @@ static int siren_decode(AVCodecContext *avctx, void *data,
if ((ret = init_get_bits8(gb, avpkt->data, avpkt->size)) < 0)
return ret;
+ if (s->sample_rate_bits + 4 > get_bits_left(gb))
+ return AVERROR_INVALIDDATA;
This is not enough. You'll inevitably get another timeout in the future
unless you add a get_bits_left(gb) > 0 condition to the loop in
decode_envelope().
And there should be at least four bits left after decode_envelope()
returns, so check for that too.
+
skip_bits(gb, s->sample_rate_bits);
decode_envelope(s, gb, s->number_of_regions,
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
