xpmdec: Check size before allocation to avoid truncation

James Almer Thu, 12 Jan 2023 16:11:37 -0800



On 1/12/2023 9:01 PM, Michael Niedermayer wrote:

Fixes:OOM
Fixes:out of array access (no testcase)
Fixes: 
48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
  libavcodec/xpmdec.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
index ff1f51dd32..504cc47d8f 100644
--- a/libavcodec/xpmdec.c
+++ b/libavcodec/xpmdec.c
@@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame 
*p,

size *= 4;+ if (size > SIZE_MAX)

+        return AVERROR(ENOMEM);

Maybe check for (size > SIZE_MAX / 4) before the multiplication aboveinstead.

+
      ptr += mod_strcspn(ptr, ",") + 1;
      if (end - ptr < 1)
          return AVERROR_INVALIDDATA;

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

Reply via email to