[FFmpeg-cvslog] avcodec/iff: limit written bytes to twice the output array size in decode_delta_l()
Michael Niedermayer
git at videolan.org
Mon Nov 29 19:42:27 EET 2021
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Oct 2 23:37:05 2021 +0200| [3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b] | committer: Michael Niedermayer
avcodec/iff: limit written bytes to twice the output array size in decode_delta_l()
Fixes: Timeout
Fixes: 39436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6624915520880640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b
---
libavcodec/iff.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 6a4c466b44..1dcf0e00ed 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -1456,6 +1456,7 @@ static void decode_delta_l(uint8_t *dst,
int planepitch_byte = (w + 7) / 8;
int planepitch = ((w + 15) / 16) * 2;
int pitch = planepitch * bpp;
+ int count = 0;
if (buf_end - buf <= 64)
return;
@@ -1487,6 +1488,8 @@ static void decode_delta_l(uint8_t *dst,
int16_t cnt = bytestream2_get_be16(&ogb);
uint16_t data;
+ if (count > dst_size)
+ break;
offset = ((2 * offset) / planepitch_byte) * pitch + ((2 * offset) % planepitch_byte) + k * planepitch;
if (cnt < 0) {
if (bytestream2_get_bytes_left(&dgb) < 2)
@@ -1494,6 +1497,7 @@ static void decode_delta_l(uint8_t *dst,
bytestream2_seek_p(&pb, offset, SEEK_SET);
cnt = -cnt;
data = bytestream2_get_be16(&dgb);
+ count += cnt;
for (i = 0; i < cnt; i++) {
bytestream2_put_be16(&pb, data);
bytestream2_skip_p(&pb, dstpitch - 2);
@@ -1502,6 +1506,7 @@ static void decode_delta_l(uint8_t *dst,
if (bytestream2_get_bytes_left(&dgb) < 2*cnt)
break;
bytestream2_seek_p(&pb, offset, SEEK_SET);
+ count += cnt;
for (i = 0; i < cnt; i++) {
data = bytestream2_get_be16(&dgb);
bytestream2_put_be16(&pb, data);
More information about the ffmpeg-cvslog
mailing list