[FFmpeg-cvslog] avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
Michael Niedermayer
git at videolan.org
Fri Jan 31 01:13:50 EET 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Jan 3 23:24:15 2020 +0100| [8652f4e7a15e56fadf9697188c1ed42c9981db82] | committer: Michael Niedermayer
avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM
IFF-PBM-HAM6 can read out of array without this overallocation
Fixes: Out of array read
Fixes: 19752/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5675331403120640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8652f4e7a15e56fadf9697188c1ed42c9981db82
---
libavcodec/iff.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index d826e78089..acd6519b06 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx,
int i, count = FFMIN(palette_size / 3, 1 << s->ham);
int ham_count;
const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata);
+ int extra_space = 1;
+
+ if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4)
+ extra_space = 4;
s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE);
if (!s->ham_buf)
return AVERROR(ENOMEM);
ham_count = 8 * (1 << s->ham);
- s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
+ s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE);
if (!s->ham_palbuf) {
av_freep(&s->ham_buf);
return AVERROR(ENOMEM);
More information about the ffmpeg-cvslog
mailing list