Re: [FFmpeg-devel] [PATCH 2/6] Execure whole size check earlier for rv20
Michael Niedermayer: > Fixes: Timeout > Fixes: > 31380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5230899257016320 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/rv10.c | 8 ++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c > index bd70689cab..9c3a48c251 100644 > --- a/libavcodec/rv10.c > +++ b/libavcodec/rv10.c > @@ -154,7 +154,7 @@ static int rv10_decode_picture_header(MpegEncContext *s) > return mb_count; > } > > -static int rv20_decode_picture_header(RVDecContext *rv) > +static int rv20_decode_picture_header(RVDecContext *rv, int whole_size) > { > MpegEncContext *s = >m; > int seq, mb_pos, i, ret; > @@ -232,6 +232,10 @@ static int rv20_decode_picture_header(RVDecContext *rv) > "attempting to change resolution to %dx%d\n", new_w, > new_h); > if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0) > return AVERROR_INVALIDDATA; > + > +if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8) > +return AVERROR_INVALIDDATA; > + > ff_mpv_common_end(s); > > // attempt to keep aspect during typical resolution switches > @@ -447,7 +451,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, > const uint8_t *buf, > if (s->codec_id == AV_CODEC_ID_RV10) > mb_count = rv10_decode_picture_header(s); > else > -mb_count = rv20_decode_picture_header(rv); > +mb_count = rv20_decode_picture_header(rv, whole_size); > if (mb_count < 0) { > if (mb_count != ERROR_SKIP_FRAME) > av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n"); > Typo: Execute. - Andreas ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/6] Execure whole size check earlier for rv20
Fixes: Timeout Fixes: 31380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5230899257016320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rv10.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index bd70689cab..9c3a48c251 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -154,7 +154,7 @@ static int rv10_decode_picture_header(MpegEncContext *s) return mb_count; } -static int rv20_decode_picture_header(RVDecContext *rv) +static int rv20_decode_picture_header(RVDecContext *rv, int whole_size) { MpegEncContext *s = >m; int seq, mb_pos, i, ret; @@ -232,6 +232,10 @@ static int rv20_decode_picture_header(RVDecContext *rv) "attempting to change resolution to %dx%d\n", new_w, new_h); if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; + +if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8) +return AVERROR_INVALIDDATA; + ff_mpv_common_end(s); // attempt to keep aspect during typical resolution switches @@ -447,7 +451,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, if (s->codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(s); else -mb_count = rv20_decode_picture_header(rv); +mb_count = rv20_decode_picture_header(rv, whole_size); if (mb_count < 0) { if (mb_count != ERROR_SKIP_FRAME) av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n"); -- 2.17.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".