har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/imx: Check palette chunk size

Browse Source 
Fixes: out of array write
Fixes: 32116/clusterfuzz-testcase-minimized-ffmpeg_dem_SIMBIOSIS_IMX_fuzzer-6702533894602752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f7a515044766426cf3cac20bdc091b700f00a458)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-03-30 12:47:22 +02:00
parent de9f4351fa
commit 45f40cec3a
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavformat/imx.c
View File

@ -113,6 +113,8 @@ retry:
imx->first_video_packet_pos = pos; imx->first_video_packet_pos = pos;
break; break;
case 0xAA98: case 0xAA98:
if (chunk_size > 256 * 3)
return AVERROR_INVALIDDATA;
for (int i = 0; i < chunk_size / 3; i++) { for (int i = 0; i < chunk_size / 3; i++) {
unsigned r = avio_r8(pb) << 18; unsigned r = avio_r8(pb) << 18;
unsigned g = avio_r8(pb) << 10; unsigned g = avio_r8(pb) << 10;