[FFmpeg-devel] [PATCH] avcodec/fic: Check available input space for cursor

wm4 nfxjfg at googlemail.com
Sun May 6 00:11:38 EEST 2018


On Sat,  5 May 2018 22:47:37 +0200
Michael Niedermayer <michael at niedermayer.cc> wrote:

> Fixes: out of array read
> Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/fic.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/libavcodec/fic.c b/libavcodec/fic.c
> index d7ee370423..6824a5683c 100644
> --- a/libavcodec/fic.c
> +++ b/libavcodec/fic.c
> @@ -337,6 +337,11 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
>          skip_cursor = 1;
>      }
>  
> +    if (!skip_cursor && avpkt->size < 59 + 32 * 32 * 4) {
> +        av_log(avctx, AV_LOG_WARNING, "Input is cursorless\n");
> +        skip_cursor = 1;
> +    }
> +
>      /* Slice height for all but the last slice. */
>      ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
>      if (ctx->slice_h % 16)

No warning needed.


More information about the ffmpeg-devel mailing list