Fixes integer overflow
Fixes: 1292/clusterfuzz-testcase-minimized-5795512143839232
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/flicvideo.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index b1b7b5a42f..7f9b871dc7 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -444,8 +444,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
break;
}
- if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0)
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
bytestream2_skip(&g2, stream_ptr_after_chunk -
bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
frame_size -= chunk_size;
num_chunks--;
@@ -742,6 +746,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext
*avctx,
break;
}
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
+ bytestream2_skip(&g2, stream_ptr_after_chunk -
bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
+
frame_size -= chunk_size;
num_chunks--;
}
@@ -1016,6 +1027,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
break;
}
+ if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
+ bytestream2_skip(&g2, stream_ptr_after_chunk -
bytestream2_tell(&g2));
+ } else {
+ av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
+ break;
+ }
+
frame_size -= chunk_size;
num_chunks--;
}
--
2.11.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
