[FFmpeg-cvslog] avcodec/mjpegdec: Check that reference frame matches the current frame
Michael Niedermayer
git at videolan.org
Sun Jun 18 17:33:51 EEST 2017
ffmpeg | branch: release/3.1 | Michael Niedermayer <michael at niedermayer.cc> | Mon Jun 5 22:23:15 2017 +0200| [79f0677332c3ca619b6bd192df13106a6235378e] | committer: Michael Niedermayer
avcodec/mjpegdec: Check that reference frame matches the current frame
Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f0677332c3ca619b6bd192df13106a6235378e
---
libavcodec/mjpegdec.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index ba0e714f2b..32b6b3b84d 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1475,6 +1475,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
return -1;
}
+ if (reference) {
+ if (reference->width != s->picture_ptr->width ||
+ reference->height != s->picture_ptr->height ||
+ reference->format != s->picture_ptr->format) {
+ av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
+ return AVERROR_INVALIDDATA;
+ }
+ }
+
av_assert0(s->picture_ptr->data[0]);
/* XXX: verify len field validity */
len = get_bits(&s->gb, 16);
More information about the ffmpeg-cvslog
mailing list