On 9/2/2019 9:14 PM, Michael Niedermayer wrote:
> Fixes: OOM
> Fixes:
> 16627/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5638059583864832
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
> libavcodec/apedec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
> index e218f7c043..774ce18531 100644
> --- a/libavcodec/apedec.c
> +++ b/libavcodec/apedec.c
> @@ -1475,6 +1475,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void
> *data,
> return AVERROR_INVALIDDATA;
> }
>
> + if (nblocks * (int64_t)avctx->channels > avctx->max_samples)
> + return AVERROR(EINVAL);
> +
Shouldn't this be checked in ff_get_buffer()? Same as max_pixels, but
checking "frame->nb_samples > avctx->max_samples" instead or
width/height. Otherwise it will barely be used.
> /* Initialize the frame decoder */
> if (init_frame_decoder(s) < 0) {
> av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n");
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
