breeze/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-02-04 14:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/flicvideo: Check for chunk overread

Browse Source 
Fixes integer overflow
Fixes: 1292/clusterfuzz-testcase-minimized-5795512143839232

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2017-05-01 22:54:15 +02:00
parent c1c3a14073
commit d2657d225c
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
libavcodec/flicvideo.c
View File

@@ -444,8 +444,12 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
break;
}
if (stream_ptr_after_chunk - bytestream2_tell(&g2) > 0)
if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
} else {
av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
break;
}
frame_size -= chunk_size;
num_chunks--;
@@ -742,6 +746,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
break;
}
if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
} else {
av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
break;
}
frame_size -= chunk_size;
num_chunks--;
}
@@ -1016,6 +1027,13 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
break;
}
if (stream_ptr_after_chunk - bytestream2_tell(&g2) >= 0) {
bytestream2_skip(&g2, stream_ptr_after_chunk - bytestream2_tell(&g2));
} else {
av_log(avctx, AV_LOG_ERROR, "Chunk overread\n");
break;
}
frame_size -= chunk_size;
num_chunks--;
}