Quoting Michael Niedermayer (2021-01-30 20:28:26) > Fixes: out of array access > Fixes: > 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/hapdec.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c > index ab364aa790..260fda2968 100644 > --- a/libavcodec/hapdec.c > +++ b/libavcodec/hapdec.c > @@ -86,6 +86,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, > int size) > return ret; > for (i = 0; i < section_size / 4; i++) { > ctx->chunks[i].compressed_offset = > bytestream2_get_le32(gbc); > + if (ctx->chunks[i].compressed_offset < 0)
Would it not be better to change compressed_offset to uint32 or size_t? -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
