[FFmpeg-devel] [PATCH] avcodec/escape124: Check buf_size against num_superblocks

James Almer jamrial at gmail.com
Mon Jun 25 01:00:25 EEST 2018


On 6/24/2018 6:18 PM, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/escape124.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
> index eb051eba54..33c67e7754 100644
> --- a/libavcodec/escape124.c
> +++ b/libavcodec/escape124.c
> @@ -221,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx,
>  
>      // This call also guards the potential depth reads for the
>      // codebook unpacking.
> -    if (get_bits_left(&gb) < 64)
> +    if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320)

An explanation of what these numbers and/or the overall check mean would
help people reading this code in the future.

>          return -1;
>  
>      frame_flags = get_bits_long(&gb, 32);
> 



More information about the ffmpeg-devel mailing list