On 1/6/19, Michael Niedermayer <mich...@niedermayer.cc> wrote: > Fixes: out of array access > Fixes: > 12381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705474280783872 > Fixes: > 12384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5725303345774592 > Fixes: > 12389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5704033050820608 > Fixes: > 12391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5707284146028544 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/huffyuvdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c > index 4e00692631..dfe3585e6e 100644 > --- a/libavcodec/huffyuvdec.c > +++ b/libavcodec/huffyuvdec.c > @@ -1254,7 +1254,7 @@ static int decode_frame(AVCodecContext *avctx, void > *data, int *got_frame, > slices_info_offset = AV_RL32(avpkt->data + buf_size - 4); > slice_height = AV_RL32(avpkt->data + buf_size - 8); > nb_slices = AV_RL32(avpkt->data + buf_size - 12); > - if (nb_slices * 8LL + slices_info_offset > buf_size - 16) > + if (nb_slices * 8LL + slices_info_offset > buf_size - 16 || > slice_height <= 0) > return AVERROR_INVALIDDATA; > } else { > slice_height = height; > -- > 2.20.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >
ok _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
