highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/flvdec: Check for nesting depth in amf_parse_object()

Browse Source 
Fixes: out of array access
Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 074e204b42acdacc0a055671481e00914524af93)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-01-23 21:20:57 +01:00
parent 0f5f93d498
commit a280136c7a
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavformat/flvdec.c
View File

@ -41,6 +41,8 @@
#define RESYNC_BUFFER_SIZE (1<<20) #define RESYNC_BUFFER_SIZE (1<<20)
#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion
typedef struct FLVContext { typedef struct FLVContext {
const AVClass *class; ///< Class for private options. const AVClass *class; ///< Class for private options.
int trust_metadata; ///< configure streams according onMetaData int trust_metadata; ///< configure streams according onMetaData
@ -467,6 +469,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream,
char str_val[1024]; char str_val[1024];
double num_val; double num_val;
if (depth > MAX_DEPTH)
return AVERROR_PATCHWELCOME;
num_val = 0; num_val = 0;
ioc = s->pb; ioc = s->pb;
if (avio_feof(ioc)) if (avio_feof(ioc))