har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libavcodec/pnm_parser: do not lose skipped parts in reporting of how much was consumed

Browse Source 
Fixes: Timeout
Fixes: 9759/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PPM_fuzzer-5655277650051072
Fixes: 9753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5764378543521792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2018-09-03 23:42:22 +02:00
parent 74af6ae021
commit 4356e03fd6
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libavcodec/pnm_parser.c
View File

@ -32,6 +32,7 @@ static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx,
ParseContext *pc = s->priv_data; ParseContext *pc = s->priv_data;
PNMContext pnmctx; PNMContext pnmctx;
int next; int next;
int skip = 0;
for (; pc->overread > 0; pc->overread--) { for (; pc->overread > 0; pc->overread--) {
pc->buffer[pc->index++]= pc->buffer[pc->overread_index++]; pc->buffer[pc->index++]= pc->buffer[pc->overread_index++];
@ -43,8 +44,8 @@ retry:
pnmctx.bytestream_end = pc->buffer + pc->index; pnmctx.bytestream_end = pc->buffer + pc->index;
} else { } else {
pnmctx.bytestream_start = pnmctx.bytestream_start =
pnmctx.bytestream = (uint8_t *) buf; /* casts avoid warnings */ pnmctx.bytestream = (uint8_t *) buf + skip; /* casts avoid warnings */
pnmctx.bytestream_end = (uint8_t *) buf + buf_size; pnmctx.bytestream_end = (uint8_t *) buf + buf_size - skip;
} }
if (ff_pnm_decode_header(avctx, &pnmctx) < 0) { if (ff_pnm_decode_header(avctx, &pnmctx) < 0) {
if (pnmctx.bytestream < pnmctx.bytestream_end) { if (pnmctx.bytestream < pnmctx.bytestream_end) {
@ -52,8 +53,8 @@ retry:
pc->index = 0; pc->index = 0;
} else { } else {
unsigned step = FFMAX(1, pnmctx.bytestream - pnmctx.bytestream_start); unsigned step = FFMAX(1, pnmctx.bytestream - pnmctx.bytestream_start);
buf += step;
buf_size -= step; skip += step;
} }
goto retry; goto retry;
} }
@ -61,9 +62,9 @@ retry:
} else if (pnmctx.type < 4) { } else if (pnmctx.type < 4) {
next = END_NOT_FOUND; next = END_NOT_FOUND;
} else { } else {
next = pnmctx.bytestream - pnmctx.bytestream_start next = pnmctx.bytestream - pnmctx.bytestream_start + skip
+ av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1);
if (pnmctx.bytestream_start != buf) if (pnmctx.bytestream_start != buf + skip)
next -= pc->index; next -= pc->index;
if (next > buf_size) if (next > buf_size)
next = END_NOT_FOUND; next = END_NOT_FOUND;