ffmpeg | branch: master | Michael Niedermayer <[email protected]> | Thu Jan 12 00:16:01 2023 +0100| [9f0602a717c3939529bfe49734f3d8029dc36625] | committer: Michael Niedermayer
avcodec/sgidec: do not forget the number of components in read_uncompressed_sgi() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6704753329700864 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6683986844057600 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6697387691474944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f0602a717c3939529bfe49734f3d8029dc36625 --- libavcodec/sgidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 6ff2ee97f6..92083f23de 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -159,7 +159,7 @@ static int read_uncompressed_sgi(uint8_t *const out[4], const ptrdiff_t stride[4 unsigned rowsize = width * bytes_per_channel; /* Test buffer size. */ - if (rowsize * (int64_t)height > bytestream2_get_bytes_left(g)) + if (rowsize * (int64_t)height * nb_components > bytestream2_get_bytes_left(g)) return AVERROR_INVALIDDATA; for (unsigned z = 0; z < nb_components; z++) { _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
