On Mon, Sep 02, 2019 at 09:40:47PM -0300, James Almer wrote: > On 9/2/2019 9:14 PM, Michael Niedermayer wrote: > > Fixes: OOM > > Fixes: > > 16627/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5638059583864832 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/apedec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c > > index e218f7c043..774ce18531 100644 > > --- a/libavcodec/apedec.c > > +++ b/libavcodec/apedec.c > > @@ -1475,6 +1475,9 @@ static int ape_decode_frame(AVCodecContext *avctx, > > void *data, > > return AVERROR_INVALIDDATA; > > } > > > > + if (nblocks * (int64_t)avctx->channels > avctx->max_samples) > > + return AVERROR(EINVAL); > > + > > Shouldn't this be checked in ff_get_buffer()? Same as max_pixels, but > checking "frame->nb_samples > avctx->max_samples" instead or > width/height. Otherwise it will barely be used.
you are correct, it should be checked in *get_buffer somewhere too. But the offending allocation occurs before any *get_buffer calls so this check here is what is neccessary and sufficient for this specific bug Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is what and why we do it that matters, not just one of them.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
