Re: [FFmpeg-devel] [PATCH 1/3] avcodec/bintext: Check input size before allocating the input image
On Wed, Sep 12, 2018 at 03:08:06AM +0200, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: > 9795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-5768631928487936 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/bintext.c | 3 +++ > 1 file changed, 3 insertions(+) will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When the tyrant has disposed of foreign enemies by conquest or treaty, and there is nothing more to fear from them, then he is always stirring up some war or other, in order that the people may require a leader. -- Plato signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
[FFmpeg-devel] [PATCH 1/3] avcodec/bintext: Check input size before allocating the input image
Fixes: Timeout Fixes: 9795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-5768631928487936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index d967317671..b14a2a9c29 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -146,6 +146,9 @@ static int decode_frame(AVCodecContext *avctx, const uint8_t *buf_end = buf+buf_size; int ret; +if ((avctx->width / FONT_WIDTH) * (avctx->height / s->font_height) / 256 > buf_size) +return AVERROR_INVALIDDATA; + s->x = s->y = 0; if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; -- 2.18.0 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel