har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/rscc: Check pixel_size for overflow

Browse Source 
Fixes: 1509/clusterfuzz-testcase-minimized-5129419876204544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 934572c5c3592732a30336afdf2df9926a8b4df2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-05-13 01:31:19 +02:00
parent 9b76264241
commit 3c428a5ff7
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/rscc.c
View File

@ -210,6 +210,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].y = bytestream2_get_le16(gbc);
ctx->tiles[i].h = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc);
if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) {
av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n");
ret = AVERROR_INVALIDDATA;
goto end;
}
pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size;
ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i,