highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/dxtory: Check slice sizes before allocating image

Browse Source 
Fixes: Timeout (26sec -> 2sec)
Fixes: 13612/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5676845977042944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2019-03-16 11:02:48 +01:00
parent 1223696c72
commit d92034a06a
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/dxtory.c
View File

@@ -272,10 +272,11 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic,
setup_lru_func setup_lru, setup_lru_func setup_lru,
enum AVPixelFormat fmt) enum AVPixelFormat fmt)
{ {
GetByteContext gb; GetByteContext gb, gb_check;
GetBitContext gb2; GetBitContext gb2;
int nslices, slice, line = 0; int nslices, slice, line = 0;
uint32_t off, slice_size; uint32_t off, slice_size;
uint64_t off_check;
uint8_t lru[3][8]; uint8_t lru[3][8];
int ret; int ret;
@@ -283,6 +284,13 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic,
if (ret < 0) if (ret < 0)
return ret; return ret;
off_check = off;
gb_check = gb;
for (slice = 0; slice < nslices; slice++)
off_check += bytestream2_get_le32(&gb_check);
if (off_check - avctx->discard_damaged_percentage*off_check/100 > src_size)
return AVERROR_INVALIDDATA;
avctx->pix_fmt = fmt; avctx->pix_fmt = fmt;
if ((ret = ff_get_buffer(avctx, pic, 0)) < 0) if ((ret = ff_get_buffer(avctx, pic, 0)) < 0)
return ret; return ret;